《思科软件定义接入解决方案基础知识.pdf》由会员分享,可在线阅读,更多相关《思科软件定义接入解决方案基础知识.pdf(80页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveRitika SinghTechnical Marketing EngineerBRKENS-2810Cisco Software-Defined Access Solution FundamentalsA Look Under the Hood 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive3BRKENS-2810 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci
2、scoLiveIntroduction4Ritika SinghNew Delhi,India.Joined Cisco in 2014.BRKENS-2810Amateur at photography.Brief stint at baking professionally.Enjoy spending time teaching kids.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Quest
3、ions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2
4、023.12345https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-28105Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhy Cisco SD-Access?Roles and TerminologyFabric FundamentalsMultiple FabricsConclusionBRKENS-28106Why Cisco SD-Access?2023 Cisco and/o
5、r its affiliates.All rights reserved.Cisco Public#CiscoLiveTraditional Networking ChallengesNetwork Deployment ChallengesNetwork InfrastructureSwitchingRoutersWirelessNetwork Security ChallengesDevicesResources Wireless and Wired ChallengesNetwork Operations ChallengesBRKENS-28108 2023 Cisco and/or
6、its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Software-Defined AccessIntent-Based NetworkingC CB BB BClient MobilityClient MobilityPolicy follows UserOutsideSDSD-AccessAccessExtensionExtensionOne Automated One Automated Network FabricNetwork FabricSingle fabric for wired and wireles
7、s with full automationAIAI-DrivenDrivenInsights and TelemetryInsights and TelemetryAnalytics and visibility into user and application experience Identity-Based Policy and SegmentationPolicy definition decoupled from VLAN and IP addressCisco DNA CenterCisco DNA CenterAssuranceAutomationPolicyE EE EE
8、EE EE EE EBRKENS-28109 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Software-Defined AccessZero Trust for Network and Cloud SecurityVisibilityVisibilityGrant the right level of network access to users and devices.SegmentationSegmentationShrink zones of trust and g
9、rant access based on least privilege.ContainmentContainmentAutomate containment of infected endpoints and revoke network access.Visibility,Segmentation and Containment are explored further in BRKENS-2819.BRKENS-281010 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBenefit
10、s of Cisco Software-Defined AccessEnhance Security and ComplianceDeliver Consistent ExperienceBoost Operational EffectivenessGain Network InsightsBRKENS-281011Roles and Terminology1.1.ConceptsConcepts2.SD-Access Roles 3.Fabric Constructs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub
11、lic#CiscoLiveWhat is a Network Fabric?Mesh of connections between network devices.Transports data from source to destination.Usually refers to a virtualized,automated lattice of overlay connections.May(uncommonly)refer to physical wiring of a network.BRKENS-281013 2023 Cisco and/or its affiliates.Al
12、l rights reserved.Cisco Public#CiscoLiveWhat is an Overlay?An Overlay network is a logical topology used to virtually connect devices,built over an arbitrary physical Underlay topology.Examples of overlay technologies:GREMPLSIPsecCAPWAPLISPVXLANBGP EVPNSD-WANACIOTVBRKENS-281014 2023 Cisco and/or its
13、 affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Fabric Site?An instance of an SD-Access Fabric.Typically defined by disparate geographical locations,but not always.Can also be defined by:Endpoint scale.Failure domain scoping.RTT.Underlay connectivity attributes.Typically interconnected
14、 by a“Transit”.Fabric Site 1Fabric Site 2Fabric Site NTransitBRKENS-281016Roles and Terminology1.Concepts2.2.SDSD-Access Roles Access Roles 3.Fabric Constructs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access RolesMandatory ComponentsMandatory ComponentsCisc
15、o DNA CenterCisco DNA Center GUI and APIs for intent-based automation of wired and wireless fabric devices.Fabric Border NodesFabric Border Nodes A fabric device that connects external L3 and L2 networks to the Cisco SD-Access fabric.Edge NodesEdge Nodes A fabric device that connects wired endpoints
16、 to the Cisco SD-Access fabric and optionally enforces micro-segmentation policy.Control Plane NodeControl Plane Node Map System that tracks endpoint to fabric node relationships.BRKENS-281018 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Roles(optional)O
17、ptional ComponentsOptional ComponentsIdentity Services Engine Identity Services Engine Highly recommended.NAC and ID services for dynamic endpoint to Security Group Tag mapping and policy distribution.Fabric Wireless Controller Fabric Wireless Controller and Fabric APs Fabric APs Highly recommended.
18、Connects wireless endpoints to the SD-Access fabric.Extended Node Extended Node A switch operating at Layer 2 that extends fabric connectivity and optionally enforces micro-segmentation policy.Intermediate Nodes Intermediate Nodes Moves data between fabric nodes.Can be one or many hops.(optional)(op
19、tional)(optional)(optional)(optional)BRKENS-281019 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access RolesSome of the Supported ColocationsBorder Node and Control Plane Node.Border Node,Control Plane Node,and Fabric Edge Node.Border Node,Control Plane Node,Fa
20、bric Edge Node,and Embedded Wireless Controller.Border Node,Control Plane Node,and Embedded Wireless Controller.BRKENS-281020 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricA simple Host Database that maps Endpoint IDs to locations,along with other a
21、ttributes.Host Database supports multiple types of Endpoint ID lookup types(IPv4,IPv6 or MAC).Receives Endpoint ID map registrations from Edge Nodes,Border Nodes and Fabric Wireless LAN Controllers.Resolves lookup requests from Edge Nodes and Border Nodes,to locate destination Endpoint IDs.Publishes
22、 registrations to Subscribers(Border Nodes).Control Plane Control Plane Node Maintains a Host Tracking Database to Map Location InformationIP to RLOC 1.2.3.4/32 EN1MAC to RLOCAA:BB:CC:DD EN1Address Resolution1.2.3.4 AA:BB:CC:DDEN1EN1IP-1.2.3.4/32MAC AA:BB:CC:DDBRKENS-281021 2023 Cisco and/or its aff
23、iliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricResponsible for Authenticating and Authorizing endpoints(e.g.802.1X,MAB,static)in concert with ISE.Register Endpoint IDs(IPv4,IPv6,MAC)with the Control Plane Nodes.Provide an Anycast Gateway for the connected wired and wireless
24、endpoints.Performs VXLAN encapsulation and decapsulation of traffic to and from all connected wired endpoints.Edge NodeEdge Node Provides First Hop Services for EndpointsIP to RLOC 1.2.3.4/32 EN1MAC to RLOCAA:BB:CC:DD EN1Address Resolution1.2.3.4 AA:BB:CC:DDIP-1.2.3.4/32MAC AA:BB:CC:DDEN1EN1BRKENS-2
25、81022 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricSubscribes to LISP Control Plane Node IPv4 and IPv6 Tables.There are 4 types of Border Node:External Border Node.Internal Border Node.Internal+External Border Node.Layer 2 Border Node.Border Node B
26、order Node is the Fabric Site Entry and Exit for Network TrafficIP to RLOC 1.2.3.4/32 EN1MAC to RLOCAA:BB:CC:DD EN1Address Resolution1.2.3.4 AA:BB:CC:DDEN1EN1IP-1.2.3.4/32MAC AA:BB:CC:DDBRKENS-281023 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricExt
27、ernal Border NodeExternal Border Node:The most common configuration.Exports all fabric subnets to outside the Fabric Site as eBGP summary routes.Does not register IP prefixes from outside the Fabric Site into the fabric Control Plane.Acts as a gateway of last resort for the Fabric Site.Border Node B
28、order Node is the Fabric Site Entry and Exit for Network TrafficBRKENS-281024 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricInternal Border NodeInternal Border Node:Exports all fabric subnets to outside the Fabric Site as eBGP summary routes.Imports
29、 and registers eBGP-learned IPv4/IPv6 prefixes from outside the Fabric Site,into the fabric Control Plane.Does not act as a gateway of last resort for the Fabric Site.Border Node Border Node is the Fabric Site Entry and Exit for Network TrafficBRKENS-281025 2023 Cisco and/or its affiliates.All right
30、s reserved.Cisco Public#CiscoLiveCisco SD-Access FabricInternal+External Border NodeInternal+External Border Node:Exports all fabric subnets to outside the Fabric Site as eBGP summary routes.Imports and registers eBGP-learned IPv4/IPv6 prefixes from outside the Fabric Site,into the fabric Control Pl
31、ane.Acts as a gateway of last resort for the Fabric Site.Border Node Border Node is the Fabric Site Entry and Exit for Network TrafficBRKENS-281026 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricLayer 2 Border NodeLayer 2 Border Node:Acts as Layer 2
32、handoff for pure Layer 2 Overlays or Layer 2+Layer 3 Overlays.Allows VLAN translation between SD-Access network segments and non-fabric VLAN IDs.Dual homing requires link aggregation;STP it not tunneled within the SD-Access Fabric.Ideally should be separate device from the Layer 3 Border Node.Border
33、 Node Border Node is the Fabric Site Entry and Exit for Network TrafficBRKENS-281027 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricFabric WLC accessible though a Fabric Border Node(Underlay).Can be several hops away.Fabric Enabled APs reside in a de
34、dicated IP range and communicate with the WLC(CAPWAP Control).Fabric WLC registers endpoints with the Control Plane Node.Fabric APs switch endpoint traffic to the adjacent Edge Node.Wireless endpoints use same data plane and policy plane as wired endpoints.Fabric Enabled WirelessFabric Enabled Wirel
35、ess Unifies Wired and Wireless Management,Policy and Data PlanesData:VXLANCtrl:CAPWAPMAC-AA:BB:CC:DDIP-1.2.3.4/32MAC AA:BB:CC:DDIP 1.2.3.4/32BRKENS-281028Roles and Terminology1.Concepts2.SD-Access Roles 3.3.Fabric ConstructsFabric Constructs 2023 Cisco and/or its affiliates.All rights reserved.Cisco
36、 Public#CiscoLiveCisco SD-Access FabricLayer 3 Virtual Networks use VRFs and LISP Instance IDs to maintain separate routing topologies.Endpoint IDs(IPv4/IPv6 addresses)are routed within an L3VN.Layer 2 Virtual Networks use LISP Instance IDs and VLANs to maintain separate switching topologies.Endpoin
37、t IDs(MAC addresses)are switched within an L2VN.Edge Nodes,Border Nodes and Fabric APs add a VNID(the LISP IID)to the fabric encapsulation.Virtual Networks30BRKENS-2810L3VNCampusL2VNIOTL3VNGuest 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricUserUser
38、-Defined VNs Defined VNs can be added or removed on demand.DEFAULT_VN DEFAULT_VN is the same as a user-defined VN.Present in the SD-Access UI by default.Not deployed to the Fabric Site by default.INFRA_VN INFRA_VN is only for Fabric Access Points and Extended Nodes in the Global Routing Table.Fabric
39、 Devices(Underlay)Fabric Devices(Underlay)connectivity is in the Global Routing Table.Layer 3 Virtual NetworksINFRA_VN(for APs,Extended Nodes)User-Defined L3VNUser-Defined L3VNDevices(Underlay)Fabric SiteGRT=Global Route TableVRFVRFGRTBRKENS-281031 2023 Cisco and/or its affiliates.All rights reserve
40、d.Cisco Public#CiscoLiveCisco SD-Access FabricUse a“Peer Device”to leak external routes into SD-Access Layer 3 Virtual Networks.Alternatively,maintain VRF segmentation outside of the SD-Access Fabric with a VRF-aware external routing domain.Peer Device is outside the fabric.Can be any platform(route
41、r,Layer 3 switch,firewall,etc.)with appropriate capabilities.Per-Layer-3-Virtual-Network Layer 3 Handoff32BRKENS-2810LISPAF*IPv4MP-BGPG0/0/0.XAF*VRF AAF*VRF BG0/0/0.YG0/0/0.ZPeer DeviceVRF BSVI BVRF ASVI AVRF BSVI ZVRF ASVI YGRTSVI X*AF=Address Family 2023 Cisco and/or its affiliates.All rights rese
42、rved.Cisco Public#CiscoLiveCisco SD-Access FabricUse an Extranet Policy to allow communication between one Provider Virtual Network and one or more Subscriber Virtual Networks.Extranet Policy is generally available from SD-Access 2.3.5.3.Requires LISP Pub/Sub Control Plane.Please read the release co
43、llateral for details of functionality and design considerations.Extranet Provider Virtual Network Layer 3 Handoff33BRKENS-2810LISPAF IPv4MP-BGPG0/0/0ExtranetSubscriberExtranetSubscriberExtranetProviderVRF ASVI AVRF BSVI BSVI X 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLi
44、veCisco SD-Access FabricAncient wisdom:Route whenever you can,switch when you must.Layer 2 Virtual Networks handoff through a user-defined VLAN.Layer 2 Virtual Networks may implement Broadcast,unknown-unicast and multicast flooding.Important to be mindful of loop prevention.Layer 2 HandoffUser-Defin
45、ed L2VNUser-Defined L2VNUser-Defined Anycast Gateway+L2VNFabric SiteSVIVRFVLANVLANVLANBRKENS-281034 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricEdge Nodes and Fabric APs assign a unique Scalable Group Tag(SGT)to each end endpoint in concert with I
46、SE.Edge Nodes and Fabric APs add an SGT to the fabric encapsulation.SGTs are used to implement IP-address-independent traffic policies.SGTs can be extended to numerous other networking technologies e.g.,Cisco Secure Firewall,Cisco SD-WAN,some third-party devices,etc.A Security Group Tag Assigns a“Gr
47、oup”to Each EndpointSGT17SGT3SGT23SGT4SGT3SGT19SGT8SGT3SGT25BRKENS-281035 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricEdge Nodes instantiate an access VLAN and a Switched Virtual Interface(SVI)with user-defined IPv4/IPv6 addresses per Host Pool.Ho
48、st Pools assigned to endpoints dynamically by AAA or statically per port.Edge Nodes and Fabric WLCs register endpoint IDs(/32,/128 or MAC)with the Control Plane,enabling IP mobility;any IP address anywhere.Host Pools Provide a Default Gateway and Basic IP Services for EndpointsPool.17Pool.13Pool.23P
49、ool.4Pool.8Pool.12Pool.11Pool.19Pool.25BRKENS-281036 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricSimilar principle and behavior to FHRP with a shared virtual IPv4/IPv6 addresses and MAC address.The same Switch Virtual Interface(SVI)is present on a
50、ll Edge Nodes with the same virtual IP and MAC.The wired or wireless endpoint can connect to any switch or AP in the fabric and communicate with the same Anycast Gateway.Anycast Gateway Anycast Gateway Provides a Default Gateway for IP-Capable EndpointsGWGWGW1.2.0.1/16A.A.A1.2.0.1/16A.A.A1.2.0.1/16A
51、.A.AL3VNCampusBRKENS-281037 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricEndpoint IPv4/IPv6 traffic arrives on an Edge Node and is then routed or switched by the Edge Node.Fabric Dynamic EID mapping allows endpoint-specific(/32,/128,MAC)advertiseme
52、nt and mobility.No longer need VLANs to interconnect endpoints across Edge Nodes,this happens in the Overlay without broadcast flooding.Host Pools are“stretched”via the Overlay38BRKENS-2810GWGWGW1.2.0.1/161.2.0.1/161.2.0.1/16MAC:3.3.31.2.255.33/16IP to RLOC 1.2.0.22/32 EN11.2.255.33/32 EN2MAC to RLO
53、C2:2:2 EN13:3:3 EN2Address Resolution1.2.0.22 2:2:21.2.255.33 3:3:3MAC:2.2.21.2.0.22/16L3VNCampus 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBy default,an L2VN is deployed with each Anycast Gateway and Layer 2 Flooding is disabled.Layer 2 Flooding can be enabled,if ne
54、cessary,to service niche applications.L2VN can be deployed without an Anycast Gateway,and Layer 2 Flooding cannot be disabled.Sometimes referred to as“Gateway Outside the Fabric”.If Layer 2 Flooding is enabled,a Multicast Underlay P2MP tunnel is established between all Fabric Nodes.Layer 2 Virtual N
55、etworksBRKENS-281039L2 OverlayCVLANMAC:3.3.3MAC:2.2.2VLANVLANMAC:1.1.1(Gateway Outsidethe Fabric)Cisco SD-Access Fabric39BRKENS-2810Fabric Fundamentals1.1.Control PlaneControl Plane2.Data Plane3.Policy Plane 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access F
56、abricControl Plane:LISPControl Plane:LISPLocator/ID Separation Protocol.IETF Standards Track RFC9300-RFC9305 and Informational RFC9299.Lightweight,Efficient,Scalable and ExtensibleBRKENS-281041 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP in Cisco SD-AccessLISP/BGP
57、LISP/BGPReleased circa 2017.Reliable and stable.BGP transport.LISP Pub/SubLISP Pub/SubReleased in 2022 with DNA Center 2.2.3.x.Reliable and stable.Native LISP transport.Less Control Plane load.Faster convergence.Highly extensible.BRKENS-281042 2023 Cisco and/or its affiliates.All rights reserved.Cis
58、co Public#CiscoLiveLISP Pub/SubA Brief Digression,before you askNo plans to end support for LISP/BGP.LISP Pub/Sub is recommended for new deployments.In DNA Center 2.2.3.x new Fabric Sites can be configured as LISP/BGP or LISP Pub/Sub.Note minimum IOS XE versions.First phase of LISP/BGP to LISP Pub/S
59、ub migration workflow is under development now.Migrate IP-Based Transit Fabric Sites.ETA CY2023.Second phase of LISP/BGP to LISP Pub/Sub under planning.Migrate SD-Access Transit Fabric Sites.Official release collateral will explain functionality.BRKENS-281043 2023 Cisco and/or its affiliates.All rig
60、hts reserved.Cisco Public#CiscoLiveFabric OperationDefault ETR RegistrationExternal Border Node0.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281044 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationDefault ETR RegistrationBGPBGPStaticEtc.External Border NodeDes
61、tinationDestinationIIDIIDNext Next HopHopDefault ETR1001-Default ETR1002-0.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281045 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationDefault ETR RegistrationBGPBGPStaticEtc.Register Default ETR per L3VN(Gateway of last
62、 resort)DestinationDestinationIIDIIDNext Next HopHopDefault ETR1001-Default ETR1002-DestinationDestinationIIDIIDNext Next HopHopDefault ETR1001 BN1Default ETR1002 BN10.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281046 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric O
63、perationEdge Node BootstrapDefault ETRExternal Border NodeDestinationDestinationIIDIIDNext Next HopHopDefault ETR1001-Default ETR1002-DestinationDestinationIIDIIDNext Next HopHopDefault ETR1001BN1Default ETR1002BN10.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281047 2023 Cisco and/or its affiliates.Al
64、l rights reserved.Cisco Public#CiscoLiveFabric OperationEdge Node BootstrapExternal Border NodeDestinationDestinationIIDIIDNext Next HopHopDefault ETR1001 BN1Default ETR1002 BN1DestinationDestinationIIDIIDNext Next HopHopDefault ETR1001BN1Default ETR1002BN1DestinationDestinationIIDIIDNext Next HopHo
65、pDefault ETR1001BN1Default ETR1002BN1DestinationDestinationIIDIIDNext Next HopHopDefault ETR1001-Default ETR1002-DestinationDestinationIIDIIDNext Next HopHopDefault ETR1001BN1Default ETR1002BN10.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281048 2023 Cisco and/or its affiliates.All rights reserved.Cis
66、co Public#CiscoLiveFabric OperationEdge Node BootstrapExternal Border Node Default ETR0.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281049 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationEndpoint Registration2.2.2.22001:2MAC:BExternal Border Node1.1.1.12001:1
67、MAC:ADestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN1 Default ETRDestinationDestinationIIDIIDNext Next HopHop2.2.2.21001-0.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281050 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationEndpoint RegistrationRegis
68、terExternal Border Node1.1.1.12001:1MAC:ADestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN12.2.2.21001 EN32.2.2.22001:2MAC:BDestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN1 Default ETRDestinationDestinationIIDIIDNext Next HopHop2.2.2.21001-0.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRK
69、ENS-281051 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationEndpoint Registration1.1.1.12001:1MAC:A2.2.2.22001:2MAC:BExternal Border NodeNotificationDestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN12.2.2.21001 EN3DestinationDestinationIIDIIDNext Ne
70、xt HopHop1.1.1.11001 EN1 Default ETRDestinationDestinationIIDIIDNext Next HopHop1.1.1.11001-DestinationDestinationIIDIIDNext Next HopHop2.2.2.21001-0.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281052 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationPublish1.1
71、.1.12001:1MAC:A2.2.2.22001:2MAC:BExternal Border NodePublishDestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN12.2.2.21001 EN3DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN1 Default ETRDestinationDestinationIIDIIDNext Next HopHop1.1.1.11001-DestinationDestinationIIDIIDNext Next H
72、opHop1.1.1.11001 EN12.2.2.21001 EN3DestinationDestinationIIDIIDNext Next HopHop2.2.2.21001-0.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281053 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationSouth to North Traffic1.1.1.12001:1MAC:A2.2.2.22001:2MAC:BExternal
73、Border NodeDst:8.8.8.8Src:2.2.2.2Where is 8.8.8.8?Negative Map Reply8.0.0.0/7DestinationDestinationIIDIIDNext Next HopHop2.2.2.21001-DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN1 Default ETRDestinationDestinationIIDIIDNext Next HopHop1.1.1.11001-DestinationDestination IIDIIDNext Next H
74、opHop1.1.1.11001EN12.2.2.21001EN3DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001EN12.2.2.21001EN30.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281054 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationSouth to North Traffic1.1.1.12001:1MAC:A2.2.2.22001:2
75、MAC:BExternal Border NodeDst:8.8.8.8Src:2.2.2.2DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001EN12.2.2.21001EN3DestinationDestinationIIDIIDNext Next HopHop2.2.2.21001-8.0.0.0/71001BN1DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN1 Default ETRDestinationDestinationIIDIIDNext Next
76、HopHop1.1.1.11001-DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001EN12.2.2.21001EN30.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281055 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationEast to West Traffic1.1.1.12001:1MAC:A2.2.2.22001:2MAC:BExternal Bor
77、der NodeWhere is 1.1.1.1?Map Reply1.1.1.1 is at EN1DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN12.2.2.21001 EN3DestinationDestinationIIDIIDNext Next HopHop2.2.2.21001-8.0.0.0/71001 BN1DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN1 Default ETRDestinationDestinationIIDIIDNex
78、t Next HopHop1.1.1.11001-DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN12.2.2.21001 EN3Dst:1.1.1.1Src:2.2.2.20.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281056 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric OperationEast to West Traffic1.1.1.12001:1MAC:
79、A2.2.2.22001:2MAC:BExternal Border NodeDestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN12.2.2.21001 EN3DestinationDestinationIIDIIDNext Next HopHop2.2.2.21001-8.0.0.0/71001BN11.1.1.11001EN1DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN1 Default ETRDestinationDestinationIIDIIDNe
80、xt Next HopHop1.1.1.11001-DestinationDestinationIIDIIDNext Next HopHop1.1.1.11001 EN12.2.2.21001 EN3Dst:1.1.1.1Src:2.2.2.20.0.0.0/010.0.0.0/8192.168.0.0/16Etc.BRKENS-281057 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvantages of LISPOptimised resource usage on Edge N
81、odes:“Pull”only the information needed,like DNS.By comparison BGP pushes all routing information to all Edge Nodes.Underlay network is simple and stable:IGP routing from Border Node to Edge Node.Maybe PIM.No L2,no No L2,no VLANs,no link bundling,no STP,no MPLS.VLANs,no link bundling,no STP,no MPLS.U
82、nified wired and wireless data plane and policy plane.No wireless concentrator bottleneck=higher throughput.Receive future innovations in later SD-Access+IOS XE releases.58BRKENS-2810BRKENS-2828BRKENS-2833Fabric Fundamentals1.Control Plane2.2.Data PlaneData Plane3.Policy Plane 2023 Cisco and/or its
83、affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Fabric1.1.Control Plane:LISPControl Plane:LISP2.2.Data Plane:VXLANData Plane:VXLAN60BRKENS-2810ORIGINAL PACKETPAYLOADETHERNETIPPAYLOADETHERNETIPVXLANUDPIPETHERNETPACKET IN VXLANSupports L2 Supports L2&L3 Overlay&L3 Overlay 2023 Cis
84、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVXLAN-GPO Header MAC-in-IP with VN ID and SGT IDUnderlayOuter IP HeaderOuter MAC HeaderUDP HeaderVXLAN HeaderOverlay14 Bytes(4 Bytes Optional)Ether Type0 x0800VLAN IDVLAN Type0 x8100Source MACDest.MAC484816161620 BytesDest.IPSource I
85、PHeader ChecksumProtocol 0 x11(UDP)IP HeaderMisc.Data7281632328 BytesChecksum 0 x0000UDP LengthDest PortSource Port161616168 BytesReservedVN IDSegment IDVXLAN Flags RRRRIRRR816248Src VTEP MAC AddressNext-Hop MAC AddressAllows 16M possible VRFsUDP 4789Hash of inner L2/L3/L4 headers of original frame.
86、Enables entropy for ECMP load balancing.Inner(Original)IP HeaderOriginal PayloadInner(Original)MAC HeaderAllows 64K possible SGTsDst RLOC IP AddressSrc RLOC IP AddressBRKENS-281061Fabric Fundamentals1.Control Plane2.Data Plane3.3.Policy PlanePolicy Plane 2023 Cisco and/or its affiliates.All rights r
87、eserved.Cisco Public#CiscoLiveCisco SD-Access Fabric1.1.Control Plane:LISPControl Plane:LISP2.2.Data Plane:VXLANData Plane:VXLAN3.3.Policy Plane:GroupPolicy Plane:Group-Based PolicyBased Policy63BRKENS-2810PAYLOADETHERNETIPVXLANUDPIPETHERNETVRF+SGTVirtual Routing&ForwardingSecurity Group Tagging 202
88、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Security Group Tag and Group-Based Policy?SGT:30Group-Based PolicyEndpoint authenticated andEndpoint authenticated andclassified as Camera(SGT 5)classified as Camera(SGT 5)Destination=SGT 20Destination=SGT 20IP:10.1.100.
89、52IP:10.1.10.220IP:10.1.200.100DST SRCLighting(20)HVAC(30)Camera(5)PermitDenyBYOD(7)DenyPermitEndpoints authenticated Endpoints authenticated and classified as:and classified as:Lighting(SGT 20)Lighting(SGT 20)HVAC(SGT 30)HVAC(SGT 30)SRC:10.1.10.220DST:10.1.100.52SGT:5SGT:20VXLAN overlay5SD-AccessUn
90、derlayBRKENS-281064 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access PolicyMacro-Segmentation and Micro-SegmentationFirst-level Segmentation ensures zero zero communicationcommunication between forwarding domains.Ability to consolidate multiple networks into one m
91、anagement plane.Virtual Network(VN)Second-level Segmentation ensures rolerole-based based access control access control between groups in a VN.Ability to segment the network into lines of business or functional blocks.Security Group Tag(SGT)BRKENS-281065 2023 Cisco and/or its affiliates.All rights r
92、eserved.Cisco Public#CiscoLiveSD-Access PolicyAccess Control PoliciesSource GroupDestination GroupACTION:DENYContractClassifier TypeClassifier TypeAction TypeAction TypePort NumberPermitProtocol NameDenyApplication TypeCopyGuest UsersWeb ServerCLASSIFIER:PORTCisco DNA CenterBRKENS-281066 2023 Cisco
93、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access PolicyGroup-Based Access Control Policy1.Select Source GroupSource Group(s)2.Select Destination GroupDestination Group(s)3.Select Access ContractAccess Contract(s)BRKENS-281067Multiple Fabrics 2023 Cisco and/or its affiliates.
94、All rights reserved.Cisco Public#CiscoLiveTransits for VN and SGT PreservationVN1 eBGPVN2 eBGPVN3 eBGPFabric1IPIPIP-Based TransitBased TransitPer-Layer-3-Virtual-Network eBGP peering to external routing domain,or LISP Extranet Provider VN eBGP peering to external routing domain.SGT propagation outsi
95、de of fabric requires suitable hardware and software.Fabric2BRKENS-281069 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransits for VN and SGT PreservationVN1 eBGPVN2 eBGPVN3 eBGPFabric1IPIPIP-Based TransitBased TransitPer-Layer-3-Virtual-Network eBGP peering to externa
96、l routing domain,or LISP Extranet Provider VN eBGP peering to external routing domain.SGT propagation outside of fabric requires suitable hardware and software.Fabric2ASN2ASN1Fabric1FabricNFabric2IPSDSD-Access TransitAccess TransitSD-Access LISP/VXLAN between Fabric Sites.Preserves Layer 3 Virtual N
97、etworks and SGT.Fabric as a transit between external routing domains.BRKENS-281070 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransits for VN and SGT PreservationVN1 eBGPVN2 eBGPVN3 eBGPFabric1IPFabricNFabric1Fabric2IPASN2ASN1Fabric1FabricNFabric2IPIPIP-Based TransitB
98、ased TransitPer-Layer-3-Virtual-Network eBGP peering to external routing domain,or LISP Extranet Provider VN eBGP peering to external routing domain.SGT propagation outside of fabric requires suitable hardware and software.SDSD-WAN TransitWAN TransitCisco SD-WAN between Fabric Sites.Separate SD-WAN
99、Edge for implementation flexibility,Border Node port density and speed.Independent Domains PDG.Colocated SDWAN Edge for L3VN-VPN stitching with SGT data plane.IMPORTANT:Read Integrated Domains PDG for functional restrictions.SDSD-Access TransitAccess TransitSD-Access LISP/VXLAN between Fabric Sites.
100、Preserves Layer 3 Virtual Networks and SGT.Fabric as a transit between external routing domains.Fabric2BRKENS-281071 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access ResourcesGeneralGeneralTechnicalTechnicalRelatedRelatedcs.co/cs.co/enen-cvdscvds SD-Access Solutio
101、n Design Guide SD-Access Deployment Guide SD-Access Segmentation Guide SD-Access Book for Industry Verticals SD-Access Fabric R Cisco DNA Center At-A-Glance Cisco DNA Center ROI Calculator Cisco DNA Center Data Sheet Cisco DNA Center User GuideCisco DNA Center YouTube Channel Cisco DNA Center Soluti
102、on B SD-Access At-A-Glance SD-Access Ordering Guide SD-Access Solution Overview SD-Access YouTube Channel*New*SD-Access Design Tool 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOptions for deploymentCisco DNA Center automated configuration of a Cisco LISP Fabric which i
103、ncludes Macro and Micro SegmentationIncludes SDA Automation Workflows and IntegrationsBest practice standardized configurations Includes SDA Assurance ORCLI Configuration of Cisco LISP Fabric which includes Macro and Micro SegmentationOpen integration with heterogenous tooling(CLI,Ansible,NSO,etc)Ag
104、ile customization within the parameters of the LISP Fabric validated designCan support DNAC Device and Client Assurance Subset of features supported compared to what is available with Cisco DNA Center.73BRKENS-2833 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOptions fo
105、r deployment74BRKENS-2810How many of you use automation systems to orchestrate network configurations today on the network devices?How many of you would be interested in deploying LISP VXLAN Fabric in your networks via the above automation systems?Conclusion 2023 Cisco and/or its affiliates.All righ
106、ts reserved.Cisco Public#CiscoLiveConclusionCiscos Software Defined Access(SD-Access)provides a secure,dynamic,and automated way to meet the security and operational challenges faced by an ever-changing environment.BRKENS-281076 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco
107、LiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also e
108、arn 100 points in the Cisco Live Challenge for every survey completed.BRKENS-281077 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with Dev
109、Net,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive80Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123480 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-2810#CiscoLive