《思科软件安全接入迁移工具和策略.pdf》由会员分享,可在线阅读,更多相关《思科软件安全接入迁移工具和策略.pdf(109页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveKedar Karmarkar,Principal Technical Marketing EngineerBRKENS-2827Migration StrategiesCisco Software Defined Access 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to chat with
2、the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its
3、 affiliates.All rights reserved.Cisco PublicBRKENS-2827Kedar KarmarkarPrincipal Technical Marketing Engineer 23 years with Cisco Switching,Wireless,SDN Controllers,SDWAN Back to Switching with Software-Defined Access When not working,I am out taking pictures of military aircraft and old warbirds 202
4、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco ISECisco SD-AccessFabric Roles&Terminology5Control-Plane Nodes Map System that manages Endpoint to Device relationshipsFabric Edge Nodes A fabric device(e.g.Access or Distribution)that connects Wired Endpoints to the SD-Ac
5、cess fabricIdentity Services NAC&ID Services(e.g.ISE)for dynamic Endpoint to Group mapping and Policy definitionFabric Border Nodes A fabric device(e.g.Core)that connects External L3 network(s)to the SD-Access fabricIntermediate Nodes(Underlay)Fabric Border Fabric Border NodesNodesFabric Edge Fabric
6、 Edge NodesNodesNetwork Automation Simple GUI and APIs for intent-based Automation of wired and wireless fabric devicesNetwork Assurance Data Collectors analyze Endpoint to Application flows and monitor fabric device status ControlControl-PlanePlaneNodesNodesFabric Wireless Controller A fabric devic
7、e(WLC)that connects Fabric APs and Wireless Endpoints to the SD-Access fabricFabric WirelessFabric WirelessControllersControllersCampusCampusFabricFabricBCBFabric WirelessAccess PointsAutomationAssuranceCisco DNA CenterIPIdentity ServicesBRKENS-2827 2023 Cisco and/or its affiliates.All rights reserv
8、ed.Cisco Public#CiscoLiveOptions for deploymentCisco DNA Center automated configuration of a Cisco LISP Fabric which includes Macro and Micro SegmentationIncludes SDA Automation Workflows and IntegrationsBest practice standardized configurations Includes SDA Assurance ORCLI Configuration of Cisco LI
9、SP Fabric which includes Macro and Micro SegmentationOpen integration with heterogenous tooling(CLI,Ansible,NSO,etc)Agile customization within the parameters of the LISP Fabric validated designCan support DNAC Device and Client Assurance Subset of features supported compared to what is available wit
10、h Cisco DNA Center.6BRKENS-2827#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaConsiderations Before You MigrateMigrate L2 Access with new subnet/sMigrate L2 Access with existing subnet/sMigrate MPLS-VPN designsMigrated Routed Access Campus DesignsMigrate Wireless a
11、nd integrate into FabricWhat Next?7BRKENS-2827Considerations before you start migrationSmall things that matter much!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVXLAN VXLAN adds 50 bytes 50 bytes to the Original Ethernet Frame in the OverlayAvoid Fragmentation by adjus
12、ting the network MTUEnsure Jumbo Frame support on switches in the underlay networkUnderlay NetworkMTU 1500MTU 1500+EncapsulationOverlay NetworkExisting Network MTUBRKENS-28279 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTCP MSSTCP MSS adjust is supported in 16.9.1s and
13、 laterAvailable only on Catalyst 3K and 9K only and works only on TCP works only on TCP based applicationsbased applicationsApplied to the overlay SVI on Fabric Edges via Template EditorPMTUD is being explored as a solution for UDP traffic.As of now,Jumbo MTU is mandatory on all switches.As of now,J
14、umbo MTU is mandatory on all switches.BRKENS-282710 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRe-configuration of Access LayerLayer-2 Switched Access Switched Access todayL2 LinksRouted Access Routed Access tomorrowL3 LinksL2 links to DistributionL3 links to Distribu
15、tionBRKENS-282711 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePhysical Network TopologyCisco SDCisco SD-Access fabric runs over most topologiesAccess fabric runs over most topologies:Traditional 3-tier hierarchical networkCollapsed core/aggregationRouted accessU-topolo
16、gyIdeal to start with routed access Ideal to start with routed access allows fabric to extend to very edge of campus network with minimum impact.Ensure that all switches have IP reachability to infrastructure elementsfollow campus CVDs with routed access: HierarchicalL2L3Routed AccessL3Collapsed Cor
17、eL2U-TopologyL2BRKENS-282712 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIP Addressing for Underlay and OverlayKnow your IP addressing and IP Know your IP addressing and IP scale requirementsscale requirementsIPv4 only underlay IPv4 only underlay(today)Fabric uses Loop
18、back 0 as Source-Interface for EncapsulationBest to use single Aggregate for all Underlay Links and Loopbacks10.10.10.253/3210.10.10.252/32Underlay Network10.10.10.0/3010.10.10.4/3010.10.10.254/32Overlay Network192.168.1.1/32192.168.1.2/32BRKENS-282713 2023 Cisco and/or its affiliates.All rights res
19、erved.Cisco Public#CiscoLiveFeatures enabled todayWhere are policies applied today?Where are policies applied today?For example,features like QoS,NetFlow,Policy-based Routing,IP ACLs?Need to moveNeed to move the policy enforcement point(s)down at the Access layer Access layer or outside the fabricou
20、tside the fabricQoS,NetFlow,WCCP,IP ACLsBRKENS-282714 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMove to different points in the fabric networkMove some Move some Policy enforcement point(s)down to the Access down to the Access Layer.Layer.For example,IP ACLs,QoS,NetF
21、low can be applied at the Access layerMove some Move some Policy enforcement point(s)outside the SDoutside the SD-Access Access fabric.fabric.For example,PBR,WCCP can be applied external to the fabric.QoS,NetFlow,IP ACLsIP ACLs,WCCP,PBRBRKENS-282715 2023 Cisco and/or its affiliates.All rights reserv
22、ed.Cisco Public#CiscoLiveTwo Basic Types of Deployments Campus Networks/(Large Sites)Branch Networks/(Small Sites)BRKENS-282716 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTypical Campus NetworksDDIBranch IWANDC IWANInternetMPLSMPLSI-NETServices BlockWAN BlockDC BlockI
23、nternet BlockSuper CoreCoreCoreAggregation LayerAggregation LayerAggregation LayerLayer-2 LinkLayer-3 LinkBRKENS-282717 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTypical Branch NetworksDDIBranch IWANMPLSI-NETCollapsed CoreAccess LayerBRKENS-282718 2023 Cisco and/or i
24、ts affiliates.All rights reserved.Cisco Public#CiscoLiveTwo Basic Approaches to Migration Parallel Deployment(all at once)Incremental Deployment(one at a time)BRKENS-282719 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration Approaches:Parallel vs IncrementalParallel
25、ParallelIncrementalIncrementalBest for Branch(small scale)deploymentsBest for Campus(any size)Requires cable runs to create a new parallel networkRequires a couple of cables from new access and distribution switchesPower and outlets for the parallel networkIncremental power and outlet requirementLeg
26、acy hardware in existing networkLegacy hardware in existing networkUpgrade most of the network infrastructureUpgrade most of the network infrastructureClean slate(leaving behind any complexity in the old design)Will need to carry forward the constraints of the old design in the underlayTest users in
27、 a complete new networkTest of functionality is partialEasy Rollback of migrated usersEasy Rollback of migrated usersIMPLEMENTATIONRESOURCESIMPLEMENTATIONRESOURCESBRKENS-282720 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveParallel Install may not feasible for Campus Net
28、worksDDIBranch IWANDC IWANInternetMPLSI-NETMPLSBRKENS-282721 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveParallel Install for Branch NetworksDDIBranch IWANMPLSI-NETBRKENS-282722Installing Management ComponentsBrains behind automation and policy orchestration 2023 Cisco
29、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInstall Cisco DNA Center and ISEInstall Cisco DNA Center and ISECreate Network Hierarchy of SitesCreate Network environment for NTP,DHCP,and other management entitiesCreate Virtual NetworksIntegrate with Cisco DNA CenterDefine policies
30、 in Cisco DNA Center or ISE whichever applicableCreate network templates to be provisioned on switches,routers,WLCsDiscover the devices BRKENS-282724Migrate L2 Access 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExisting Network VLANs span Access blockExternal NetworkBu
31、ilding#1Dist-1Access-1Dist-2Access-2Access-4Access-5Dist-3Dist-4Core-1Core-2Building#2L3 boundaryL3 boundaryL2 DomainVLANs 10-20L2 DomainVLANs 21-30BRKENS-282726 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGetting StartedConfigure one Core that will act as the Default
32、Fabric BorderHost the Control Plane on the Default Fabric Border for simplicityAdd a switch in the access layer that will act as the Fabric EdgeExternal NetworkIP NetworkBorder/Control Plane NodeEdge NodeCBEBRKENS-282727 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIncr
33、emental Migration High Level conceptDeploy a Border/Control Plane node Border/Control Plane node and an Edge nodeEdge nodeA virtual network with new address is formed over the existing networkIncrementallyIncrementally add Fabric Edge nodesThe virtual network connects to the existing/external networ
34、k via the borderRest of the NetworkExisting IP distribution network(underlay)Border/Control Plane NodeEdge NodesCBVirtual Network(new IP scope)Existing Network(existing IP scope)Route between IP scopesBRKENS-282728 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConsiderat
35、ions for using new subnets to transitionImmediately realize the advantages of bigger subnets,but lesser subnets that are optimized for Cisco SD-AccessDesign for the present and the future Add DHCP scope and sizeUpdate existing firewall rules for that one big subnetNot a big issue for endpoints with
36、IP stacks that work well with DHCP10.10.3.0/2410.10.2.0/2410.10.1.0/2410.10.6.0/2410.10.5.0/2410.10.4.0/2410.10.9.0/2410.10.8.0/2410.10.7.0/2410.10.0.0/16BeforeAfterBRKENS-282729 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Insert new Access Switch Ext
37、ernal NetworkBuilding#1Dist-1Access-1Dist-2Access-2Access-3Core-1Core-2L3 boundaryConnect a new switch in the access layer and connect to distribution layer with Routed AccessRouted AccessBRKENS-282730 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrepping the Switch and
38、 underlaySet following on the Fabric nodes and other nodes in the underlaySet MTU to 9100 on the switch and the existing network.Configure ip routingSet username and password for device accessConfigure VTY and console lines for device accessConfigure NTPConfigure SNMP,syslogConfigure Loopback0(/32)f
39、or RLOC,and underlay IP addresses Configure multicast in the underlay if you want to run native multicast in the fabricBRKENS-282731 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Configure Fabric on the new Switch and CoreExternal NetworkDist-1Access-1D
40、ist-2Access-2Access-3Core-1Core-2L3 boundaryBCEYou can reuse an existing Core switch if it supports Fabric functionalityNOTE:This may require software upgrade,and adding new fabric overlay configurationsConfigure the Fabric Edge and Border/CP from Cisco DNA-CenterBRKENS-282732 2023 Cisco and/or its
41、affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Option of connecting Border/CP to CoreExternal NetworkDist-1Access-1Dist-2Access-2Access-3Core-1Core-2L3 boundaryEIf the existing core does not support Fabric functionality,Connect a new switch to the existing core layer that wil
42、l be a Border/Control Plane nodeBCBorder CPBRKENS-282733 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Configure IP Transit handoffExternal NetworkDist-1Access-1Dist-2Access-2Access-3Core-1Core-2L3 boundaryBCEConfigure the respective IP Transit VRF hand
43、offs to the upstream routerConfigure the required route-leaking at the upstream routerFabric and existing network traffic will communicate via the upstream routerBRKENS-282734 2020 Cisco and/or its affiliates.All rights reserved.Cisco PublicCommunications in SD-Access Fabric10.1.51.2Un-encapsulated
44、packetVXLAN encapsulated packetEast-West:Fabric Border is Exchange Point with Fusion RouterCore-1Core-2Border CPRouter-1Access-1Access-2Dist-1Dist-2Router-2Edge-1BRKENS-282735 2020 Cisco and/or its affiliates.All rights reserved.Cisco PublicCommunications in SD-Access Fabric10.1.51.2Un-encapsulated
45、packetVXLAN encapsulated packetNorth-South:Fabric Border is Exchange Point with Fusion RouterCore-1Core-2Border CPRouter-1Access-1Access-2Dist-1Dist-2Router-2Edge-1BRKENS-282736 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access RolloverExternal NetworkDist-
46、1Access-1Dist-2Access-2Access-3Core-1Core-2L3 boundaryBCEMove users to new Fabric EdgeReconfigure existing Access switch with routed access upstreamConfigure Fabric Edge using Cisco DNA CenterAnd continue.EBRKENS-282737 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigra
47、te L2 Access Reconfigure Second Core to be Border/CPExternal NetworkDist-1Access-1Dist-2Access-2Access-3Core-1Core-2L3 boundaryBCEEBCBRKENS-282738 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Configure Fabric Edge functionality on AccessExternal Networ
48、kDist-1Access-1Dist-2Access-2Access-3Core-1Core-2BCEEBCEBRKENS-282739L3 boundaryL3 boundaryMigrate L2 Access Using Fabric Edge nodes at DistributionGet Ready,Strap In,here we go!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Challenge in converting Acces
49、s Layer41External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2L3 boundaryBCAccess layer not compatible with SD-Access functionalityCritical or high-risk environment to move into fabricNeed a quick win from a segmentation perspectiveBC 2023 Cisco and/or its affiliates.All rights reserve
50、d.Cisco Public#CiscoLiveMigrate L2 Access Challenge in converting Access Layer42External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2L3 boundaryBCConsider Vlan 10(10.1.1.0/24)and Vlan 20(10.1.2.0/24)presence on the existing network switchesSVI of Vlan 10 and Vlan 20 is on Distribution
51、SwitchesSVI10SVI10BCSVI20SVI20 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Convert Distribution to Fabric Edge43External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2L3 boundaryBCEasier and a quick way to migrate network into fabricShutdo
52、wn SVIs on Dist-2Shutdown Trunk links Single connect from Access to Distribution(FE)Configure Dist-1 as a Fabric EdgeUse custom Vlan#feature to configure same Vlan as existing networkESVI10SVI10XSVI20SVI20BCXXXXX 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 A
53、ccess Distribution to Fabric Edge44External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2L3 boundaryBCRedundancy provided by In-System redundancy in distribution node eg:SVL or StackWise or Redundant Supervisors in modular chassisESVI10SVI20BCXX 2023 Cisco and/or its affiliates.All righ
54、ts reserved.Cisco Public#CiscoLiveMigrate L2 Access Distribution#2 to Fabric Edge45External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2L3 boundaryBCESVI10SVI20EBCSVI20SVI10Configure Dist-2 as another Fabric EdgeDual-connect with FlexLink+on the L2 switches Active/Standby mode only.Fle
55、xLink+2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Distribution#2 to Fabric Edge46External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2L3 boundaryBCESVI10SVI20EBCSVI20SVI10Configure Dist-2 as another Fabric EdgeDual-connect with FlexLink+
56、on the L2 switches Active/Standby mode only.FlexLink+XVlan10XVlan10Vlan10 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Distribution#2 to Fabric Edge47External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2L3 boundaryBCConsider scale of loca
57、l endpoints that can be onboarded on an individual fabric edge nodeE-W micro-segmentation from the Fabric Edge nodes,not on the Access switchesSGACL Policy enforcement point will be Distribution that act as Fabric EdgesESVI10SVI20EBCSVI20SVI10FlexLink+2023 Cisco and/or its affiliates.All rights rese
58、rved.Cisco Public#CiscoLiveMigrate L2 Access Option to load-balance48External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2L3 boundaryBCESVI10BCSVI20Build SVL pair of distribution layer for redundancy and additional usage of links for bandwidth 2023 Cisco and/or its affiliates.All right
59、s reserved.Cisco Public#CiscoLiveMigrate L2 Access Rolling migration to convert Access to fabric49External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2BCConnect Access with Routed Links to DistributionPrep the switch with Loopback0 and other management configurationsDiscover the device
60、 and configure Fabric Edge functionality using Cisco DNA CenterEEBCE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Rolling migration to convert Access to fabric50External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2BCConnect Access with Ro
61、uted Links to DistributionPrep the switch with Loopback0 and other management configurationsDiscover the device and configure Fabric Edge functionality using Cisco DNA CenterEEBCEE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access Rolling migration to conve
62、rt Access to fabric51External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2BCOnce the Access layer is converted to Fabric Edge,de-configure the Distribution to normal switches aka intermediate nodesFollow similar procedure in Building#2,to create the fabric in entire campusBCEE 2023 Cis
63、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrate L2 Access End state of network migrated to fabric52External NetworkBRKENS-2827Dist-1Access-1Dist-2Access-2Core-1Core-2BCBCEEAccess-4Access-5Dist-3Dist-4EEBuilding#1Building#2Migrate L2 Access Using L2 Border for inter-operati
64、ng same subnets in and out of FabricGet Ready,Get a beverage of your choice(Double Espresso)Strap In,here we go!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExisting Network VLANs span Distribution BlocksExternal NetworkBuilding#1Dist-1Access-1Dist-2Access-2Access-4Acce
65、ss-5Dist-3Dist-4Core-1Core-2Building#2L3 boundaryL2 DomainVLANs 10-30BRKENS-282754 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIncremental Migration High Level conceptDeploy a Border node and incrementally add Edge NodesA virtual network is formed over the existing(und
66、erlay)networkThe virtual network(s)uses same subnet address as existing networkThe virtual network connects to the external network through the borderExisting Campus and External NetworkExisting IP Network(underlay)Border/Control Plane NodeEdge NodesCBVirtual Network(existing IP scope)Existing Netwo
67、rk(existing IP scope)Switch between IP scopesBRKENS-282755 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SD-Access retaining existing subnetsExternal NetworkBCBC10.1.1.0/24VLAN1010.1.1.0/24 VLAN 1021 L2 VNI=8188Dist-1Access-1Dist-2Access-2Edge-3Access-4Acces
68、s-5Dist-3Dist-4Core-1Core-2EInsert an Access Switch with Routed uplinksPrep the switch and the underlay network for requisite routing to route Lo0 and physical link subnetConfigure fabric via Cisco DNA CenterConfigure the same subnet using different Vlannumber on Fabric Edge in the VRFSVI10SVI10BRKE
69、NS-282756 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SD-Access retaining existing subnetsExternal NetworkBCBC10.1.1.0/24VLAN1010.1.1.0/24 VLAN 1021 L2 VNI=8188Dist-1Access-1Dist-2Access-2Edge-3Access-4Access-5Dist-3Dist-4Core-1Core-2ERemove SVI 10 from Co
70、re-1 and Core-2Configure L2 Handoff at Core-2 Map 10.1.1.0/24 to VLAN10 in the L2 handoff details on Core-2 this will map VLAN10 to L2 VNID 8188SVI10L2SVI10XBRKENS-282757X 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SD-Access retaining existing subnetsExte
71、rnal NetworkBCBC10.1.1.0/24VLAN1010.1.1.0/24 VLAN 1021 L2 VNI=8188Dist-1Access-1Dist-2Access-2Edge-3Access-4Access-5Dist-3Dist-4Core-1Core-2EIn-System redundancy at Core-2 egSVL or StackWise,or modular chassis with redundant SupervisorsSVI10L2BRKENS-282758 2023 Cisco and/or its affiliates.All rights
72、 reserved.Cisco Public#CiscoLiveLayer-2 Border ScaleBRKENS-282759Cisco DNA Center 2.3.5 Data Sheet 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SD-Access retaining existing subnetsExternal NetworkBCBC10.1.1.0/24VLAN1010.1.1.0/24 VLAN 1021 L2 VNI=8188Dist-1A
73、ccess-1Dist-2Access-2Edge-3Access-4Access-5Dist-3Dist-4Core-1Core-2EFlash cut and roll-over migration of Fabric Edges in the networkSame as outlined in the slides earlierSVI10L2EBRKENS-282760 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SD-Access retaining
74、existing subnetsExternal NetworkBCBC10.1.1.0/24VLAN1010.1.1.0/24 VLAN 1021 L2 VNI=8188Dist-1Access-1Dist-2Access-2Edge-3Access-4Access-5Dist-3Dist-4Core-1Core-2EFlash cut and roll-over migration of Fabric Edges in the networkRe-configure L2 Links in Building#1 to L3SVI10L2EEBRKENS-282761 2023 Cisco
75、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SD-Access retaining existing subnetsExternal NetworkBCBC10.1.1.0/24VLAN1010.1.1.0/24 VLAN 1021 L2 VNI=8188Dist-1Access-1Dist-2Access-2Edge-3Access-4Access-5Dist-3Dist-4Core-1Core-2EFlash cut and roll-over migration of Fabri
76、c Edges in the networkSame as outlined in the slides earlierSVI10L2EEEBRKENS-282762 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SD-Access retaining existing subnetsExternal NetworkBCBC10.1.1.0/24 VLAN 1021 L2 VNI=8188Dist-1Access-1Dist-2Access-2Edge-3Acces
77、s-4Access-5Dist-3Dist-4Core-1Core-2ERe-configure L2 Links to L3 LinksDe-configure L2 handoff after all the Access switches are configured as Fabric Edges with all the VLANs in the fabricEEEEBRKENS-282763 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhen to use a L2 Bord
78、er and Fabric Edge to connect L2 DomainUse L2 Border when.Use L2 Border when.Use Fabric Edge when.Use Fabric Edge when.There are same subnets inside the fabric and outside the fabricWant to absorb L2 subnets within a fabricBRKENS-282764 2020 Cisco and/or its affiliates.All rights reserved.Cisco Publ
79、icCommunications in SD-Access Fabric10.1.51.2Un-encapsulated packetVXLAN encapsulated packetBridged packetEast-West:Hosts in same subnet,inside and outside fabricCore-1Core-2Border CPRouter-1Access-1Access-2Dist-1Dist-2Router-2Edge-1L2 BorderBRKENS-282765 2020 Cisco and/or its affiliates.All rights
80、reserved.Cisco PublicCommunications in SD-Access Fabric10.1.51.2Un-encapsulated packetVXLAN encapsulated packetBridged packetEast-West:Hosts in same subnet,inside and outside fabricCore-1Core-2Border CPRouter-1Access-1Access-2Dist-1Dist-2Router-2Edge-1L2 BorderBRKENS-282766Migrating MPLS VPN to SD-A
81、ccess 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive68Existing Network with MPLS VPNMPLSCE#11CE#13PE#11PE#12PE#21PE#22R31R32BRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SDA over MPLS CoreExisting NetworkStart with a
82、typical Layer-2 networkL2 VLANs in the access layer(Vlans 10,20,30 etc)VLANs are spanned across distribution layerL2/L3 boundary at the distribution(SVI for Vlans 10,20,30,etc)L3 upstream from distribution to coreDistribution is the PE for the MPLS VPN3 VRFs(Red,Green,Blue),and one Global Routing Ta
83、ble(Black)Campus core is MPLSBRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive70IGP Design In The Existing NetworkMPLSCE#11CE#13PE#11PE#12PE#21PE#22R31R32Core IGPIGPMP BGPBRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigr
84、ating to SDA over MPLS CoreIGP Design in the Existing NetworkIGP between the PEs and Core devicesMP-BGP between the PE switches for MPLS VPNThere might be VRF-specific routing at the point in the network where the Campus goes out to WAN,Internet,etc which is shown at the right of the previous slideB
85、RKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive72Conversion to Routed Access on one Access SwitchMPLSCE#11CE#13PE#11PE#12PE#21PE#22R31R32Core IGPIGPMP BGPIntent is to make the underlay for the MPLS network extend to be the underlay for the SDA overlay networkBR
86、KENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SDA over MPLS CoreConverting to Routed Access in first Fabric EdgeRe-configure link between the access to distribution as routed linkConfigure Loopback0 interface on the switchConfigure“mtu 9100”across
87、all switchesConfigure IGP(preferably what is used in core,OSPF)between the three switches(access,and two distribution switches)Advertise the Loopback0 and physical subnet into coreCheck for East-West traffic of existing network that should not be impactedBRKENS-2827 2023 Cisco and/or its affiliates.
88、All rights reserved.Cisco Public#CiscoLive74Insert Potential Default Border/Control Plane at PEMPLSCE#11CE#13PE#11PE#12PE#21PE#22R31R32B#21B#22BRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SDA over MPLS CoreAdding Potential Border/Control Planes
89、to existing PE switchesInsert potential Border/Control Plane jump-off switches off of the PE switch in existing networkConfigure routed links between the two switches and the PE switchesConfigure Loopback0 interface on the switchConfigure“mtu 9100”Configure IGP(preferably what is used in core,OSPF)b
90、etween the four switches(access,and two distribution switches)Advertise the Loopback0 and physical subnet into coreCheck for East-West traffic of existing network that should not be impactedBRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive76Provision Fabric node
91、sMPLSCE#11CE#13PE#11PE#12PE#21PE#22R31R32B#21B#22BCCBBRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SDA over MPLS CoreProvision Fabric on Edge and Default Border/Control PlaneUsing DNAC,configure the access switch to be a fabric edge,while configu
92、ring the jump-off switches as default border and control plane nodes.Check for E-W,N-S traffic of existing network that should not be impactedBRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive78Provision IP Pool using new subnetMPLSCE#11CE#13PE#11PE#12PE#21PE#22R
93、31R32B#21B#22BCCBVLAN3000 10.0.0.0/16BRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive79Conversion to Routed Access on one Access SwitchMPLSCE#11CE#13PE#11PE#12PE#21PE#22R31R32Core IGPIGPMP BGPIf PE platform is a Catalyst 9000 Series switch,then MPLS and VXLAN c
94、annot coexistBRKENS-2827BCBCX 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SDA over MPLS CoreProvision IP Pool with new subnetUsing DNAC,provision an IP Pool using new subnetSetup external connectivity on the Borders mapping SDA VRFs into MPLS VPN VRF to ro
95、ute this prefix externallyIn the above example,I have the SDA VRF mapped into the Blue VRF at the Border connecting into the PEFabric traffic will come into the Edge,go to the Border,and then from the Border over to the Blue VRF into MPLS VPN and either go to the access switch in Blue VRF at the lef
96、t bottom of the picture denoted by the Blue arrowBRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive81Conversion of Fabric Edge to full Routed Access MPLSCE#11CE#13PE#11PE#12PE#21PE#22R31R32B#21B#22BCCBVLAN3000 10.0.0.0/16VLAN10,VLAN20BRKENS-2827 2023 Cisco and/or
97、 its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SDA over MPLS CoreConverting to full Routed AccessUse DNAC to provision multiple IP Pools in fabricSetup external connectivity on the Borders mapping SDA VRFs into MPLS VPN VRF to route this prefix externallyFlash-cut or install
98、a new switch in the access layer.Move/Configure the links to routed access from access to distribution.BRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive83Incrementally add additional Fabric EdgesMPLSCE#11CE#13PE#11PE#12PE#21PE#22R31R32B#21B#22BCCBVLAN3000 10.0.0
99、.0/16VLAN3000 10.0.0.0/16BRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SDA over MPLS CoreIncremental Fabric Edge provisioningUse DNAC to provision additional fabric edges in the networkRepeat the same steps from before converting L2 Access to rou
100、ted access and eventual fabric edge conversionBRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive85Moving away from MPLS to an IP CoreIP CoreFE#11FE#13IntermediateIntermediateIntermediateIntermediateR31R32B#21B#22BCCBVLAN3000 10.0.0.0/16VLAN3000 10.0.0.0/16BRKENS-
101、2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating to SDA over MPLS CoreMoving to an IP CoreOnce all the prefixes are moved away from MPLS VPN and into SD-Access,there will not be any need to retain MPLS VPN configurations in the networkRemove MPLS VPN and even
102、tually MPLS from the network coreMoving to a IP Core and classic Cisco SD-Access solutionBRKENS-2827Migrating Routed Access DesignsHop,and maybe a skip,and you are done!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrating Routed Access to Cisco SD-AccessExternal Netwo
103、rkAccessDistributionCoreBRKENS-282788 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouted Access Design ConsiderationsCan re-use the existing subnets to migrate into Cisco SD-AccessNo changes to existing DHCP scope and subnet sizeNo changes to existing firewall or other
104、 policies that are based on IP-ACLOld network design is retained for familiarityCannot realize the advantages of bigger subnets,but lesser subnets that are optimized for Cisco SD-AccessBRKENS-282789 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouted Access Migration to
105、 Cisco SD-AccessShutdown existing SVI(Vlan10 in this case)Provision existing subnet from Cisco DNA-Center(10.1.1.0/24 in this case)Cisco DNA-Center will provision Vlan1021 with 10.1.1.0/24Move hosts to fabric-enabled IP PoolVerify connectivityExternal Network10.1.1.0/24VLAN 102110.1.2.0/24VLAN 20BCB
106、RKENS-282790 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouted Access Migration to Cisco SD-AccessRepeat the process for other VLANs on the Fabric EdgeRepeat the same process on other access switches in converting them to Fabric EdgeMigration is One-SwitchAt-A-Time NO
107、T One-Vlan-At-A-TimeExternal Network10.1.1.0/24VLAN 102110.1.2.0/24VLAN 102210.1.1.0/24VLAN 102110.1.2.0/24VLAN 1022BCBCBRKENS-282791Migrating Wireless and Integrating into fabricAlmost there!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Wireless Adoption
108、InternetFabric buildingGuest Fabric node(FB)ISE/ADSD-Access FabricCisco DNACVXLAN tunnel to Guest FBFabric WLCCAPWAP ControlVXLANSSIDGuestSSIDBlizzardBYODEmployeeContractorFabric APsVXLAN(Data)CBBCFull Cisco SD-Access Wireless valueCisco DNA Center and NDP for Automation&AssuranceVirtual Networks fo
109、r Segmentation(ex Employee,IoT,Guest)ISE for SGT Access Control within VRF(ex.Contractor,BYOD,Employees)Subnet extension across Campus with distributed data planeOptimized path for Guest and no Anchor WLCAnd moreBRKENS-282793 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv
110、eMigrating to Cisco SD-Access Wireless from CUWNCustomer has a site with AireOS Centralized wirelessAssumptions:Migration to Fabric happens in a single area(e.g.building)at the time and migration is in one shotNo need for seamless roaming between new SDA area and the existing wireless deploymentWLCB
111、ldg 1Bldg 2Non FabricNon FabricDHCPISECisco PrimeDatacenterBRKENS-282794 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Wireless AdoptionMigration for an existing CUWN deploymentAdd Cisco DNAC and ISE(if not present already)Migrate wired network to Fabric
112、firstWireless is over the topNon Fabric1SD FabricBC23CAPWAPCAPWAPWLCDHCPISECisco PrimeBldg 1Bldg 2Cisco DNA CenterBRKENS-282795 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Wireless AdoptionAdd a dedicated WLC for Cisco SD-Access and configure it with sa
113、me SSIDson CUWN WLC,configure the APs in the area to join the new Fabric WLCTraffic now goes through the FabricNon Fabric1SD FabricBC23SDA WLCVXLAN(Data)CAPWAP CntrlCAPWAP ControlVXLANNo seamless roamingBldg 1Bldg 2DHCPISECisco PrimeCisco DNA CenterMigration for an existing CUWN deploymentBRKENS-282
114、796 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Wireless AdoptionRecommendationsPrime for CUWN areas,Cisco DNAC for SDA areasDedicated WLC for Cisco SD-Access WirelessSame SSIDs on Fabric and non-FabricNon FabricSD FabricBCSDA WLCVXLAN(Data)CAPWAP Cntrl
115、Same RF Groups for CUWN WLC and SDA WLCWLCs in different Mobility Group(no seamless roaming between areas)No seamless roamingWLCBldg 1Bldg 2DHCPISECisco PrimeCisco DNA CenterMigration for an existing CUWN deploymentBRKENS-282797What Next?2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub
116、lic#CiscoLiveBuild a PoC in a LabStart in a lab isolated,controlled environmentHow do I connect a lab to the production network if I want to validate use casesBRKENS-282799 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConnecting PoC Lab to ProductionExternal NetworkBCBC
117、FusionRouter100BRKENS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIGP NormalizationExternal NetworkISIS/OSPFeBGPEIGRP/OSPFBCBCRedistribute eBGP to OSPF/EIGRPBRKENS-2827101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlan Production P
118、ilot Roll-outPre-plan and execute Management components installation and configurationPlan a maintenance window for the actual network migrationStart small in non-critical areas,and considerate user groups(towards IT)Preferably start with the IT department Have backups of network device configuratio
119、nsHave a rollback plan so users are not affectedBRKENS-2827102 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKey TakeawaysCan migrate existing Can migrate existing network topologies to SD-AccessCan migrate existing subnets Can migrate existing subnets into SD-AccessSupp
120、orts migration of LayerLayer-2 2 as well as,Routed Access Routed Access designsMPLS VPN designs to an IP Core with SD-AccessAutomationAutomation support makes it easyeasy for migrationConsiderations in migrationPoCPoC in labs Start smallStart small,small/medium Campus/Branch locationsBRKENS-2827103
121、2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!104BRKENS-2827These points help you get on the leaderb
122、oard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-one
123、Meet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLiveThank you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive108Gamify your Cisco Live exp
124、erience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234108 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-2827#CiscoLive