More Related Content Similar to Brkaci 1090 (20) Brkaci 10902. Data Centre and DNA Campus
Fabric Integration
Victor Moreno, Distinguished Engineer
BRKACI-2220
3. ā¢ Introduction
ā¢ Multi-level Policy and Management Architecture
ā¢ Introduction to ACI and DNA Campus Fabric
ā¢ Policy abstractions in ACI and DNA Campus Fabric
ā¢ Control and Data Plane Interworking
ā¢ Conclusion
Agenda
4. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Icon Legend
DB
APIC-EM Enterprise Network Controller
SDA Controller (APIC-EM + ISE)
Identity Services Engine (ISE)
APIC Data Center Network Controller
Scalable Groups
(User and Application)
6. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complex
Operational Simplicity
Security Concerns
Mobility
Reduce the Attack Surface with
Segmentation and Access
Control
Any IP anywhere
Pervasive L2 and L3 forwarding
Reactive
Operational Visibility and Streaming
Telemetry
Switching Fabric Trends
7. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Switching Fabrics
Secure Segmentation
ā¢ Coarse Segmentation into Virtual Networks
ā¢ Flexible User/Device Grouping
ā¢ Fine Grain Segmentation into device
Groups
Mobility
ā¢ Any IP anywhere
ā¢ Wired and Wireless
ā¢ Layer 2 and Layer 3 services
Policy Driven
ā¢ Simplification of Intent
ā¢ Policy defines relationships between
Groups of devices
ā¢ Defines segmentation and security
Mobility Collaboration Security
Endpoints
Branch
8. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What exactly is a Fabric?
Virtual Networks
Overlay Control Plane
Underlay Control PlaneUnderlay Network
Hosts
(End-Points)
Edge DeviceEdge Device
Virtual Network
Encapsulation
Mobility
Segmentation
Manageability
9. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9Presentation ID
Switching Fabric Mobility
Locator-ID separation for L2 and L3 Services with host mobility
IP core
Device IPv4 or IPv6
Address Represents
Identity and Location
Todayās IP Behavior
Loc/ID āOverloadedā Semantic
10.1.0.1 When the Device Moves, It Gets
a New IPv4 or IPv6 Address for
Its New Identity and Location
20.2.0.9
Device IPv4 or IPv6
Address Represents
Identity Only.
When the Device Moves, Keeps
Its IPv4 or IPv6 Address.
It Has the Same Identity
Loc/ID āSplitā
IP core
1.1.1.1
2.2.2.2
Only the Location Changes
10.1.0.1
10.1.0.1
Its Location Is Here!
10. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Network 1 Virtual Network 2
Switching Fabric Segmentation
10
Identity Services
users things
groups
11. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Enabled Segmentation
Virtual Network based Segmentation
Underlay Network
Virtual Networks
12. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group
Printers
Group
Projector
Group
Temp
Group
Perm
Campus/DC
JOHN MIKE
Fabric Enabled Segmentation
Device Group Based Segmentation
Employee Segment
00Building-Systems
JOHN MIKE
x
Virtual Networks
Airgap isolation between
communities of interest
End-point Groups
Access to resources controlled
based on User/Device role
13. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Switching Fabric Manageability & Policy
Virtual Network
14. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Switching Fabric Functional Tiers
16. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Campus Fabric
Secure Segmentation
ā¢ Coarse Segmentation into Virtual Networks
ā¢ Flexible User/Device Grouping
ā¢ Fine Grain Segmentation into device
Groups
Mobility
ā¢ Any IP anywhere
ā¢ Wired and Wireless
ā¢ Layer 2 and Layer 3 services
Policy Driven
ā¢ Simplification of Intent
ā¢ Policy defines relationships between
Groups of devices
ā¢ Defines segmentation and security
Mobility Collaboration Security
Endpoints
Branch
17. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Centric Infrastructure - ACI
Rapid Deployment of Applications onto
Networks with Scale, Security and Full Visibility
ACI
APPLICATION CENTRIC
POLICY CONTROLLERNEXUS 9500 AND 9300
18. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Network 1 Virtual Network 2
Fabric Segmentation across DC and Campus
18Presentation ID
Identity Services
users things
Scalable
Groups
Virtual Network 1 Virtual Network 2
End-Point
Groups
Web DBApp
Compute
vCenter
compute storageapplications
LISP/VXLAN L2 and L3 Services
USER ā USER Policy
COOP/VXLAN L2 and L3 Services
APP ā APP Policy
BGP/VXLAN xFabric Handoff
USER ā APP Policy
19. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why not a just have a single fabric?
Access Network
User centric
Wireless + Wired
User and IOT connectivity
POE
Integration with AAA
Moderate BW
Different yet complementary roles
Data Center
Application centric
Wired only
Virtualized Compute connectivity
Convergence of Storage & Compute
Integration with hypervisors
High BW, low latency
User to Application
C
Web
20. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connecting Multiple Fabrics Together
Preserving Segmentation and Group Policy Semantics
21. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
22. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstraction and Network Consumption
Network
Consumer (Intent)
Multi-tier application cluster
Segments: VLANs/VRFs,
ACLs,
Firewalls,
Service Chains
Network Admin
(Network Management FCAPS)
23. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distinct Functionality, Distinct Domains
Data Center A
Access Domain
(Campus/Branch/WAN) Data Center BNetwork Operator Network Operator
Focused on User Access
Wireless Integration
User Identity / AAA
Path Engineering
Focused on Applications
Virtualization: VMs, Containers
Compute Integration
Agile Application Deployment
Hybrid Cloud Mobility
Fate Separation, Scale, Administrative Delineation
24. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified Policy Language across Domains
Data Center A
Access Domain
(Campus/Branch/WA
N)
Data Center BNetwork Operator Network Operator
Policy Element/Object Exchange
consumer
ā¦
Web
Servers
Web
Users
Contract
Allow only web traffic in/out
Sessions must be logged
Violations must be inspected
ā¦.
providerconsumer
Security Domain
Security Operator
25. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management & Orchestration Fabric Framework
Automated
DCI / WAN
V
M
O
S
V
M
O
S
API
Intent Based Policy (Cross Domain)Orchestration
Compute Control
vCenter
Agile/DevOps
Consumer
UI / API: Intent model
Infrastructure (Network,
Compute, Storage)
Administrators
Physical Virtual
DCI/WAN
SDN Control &
Management
API
Service Lifecycle
Managers
Network Service
Administrators
Identity Store
ISE
API
API
26. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Fabric Management and Orchestration
API
Intent Based Policy (Cross Domain)Orchestration
Compute Control
vCenter
Agile/DevOps
Consumer
UI / API: Intent model
Infrastructure (Network,
Compute, Storage)
Administrators
Physical Virtual
WAN
APIC ControllerAPI
Service Lifecycle
Managers
Network Service
Administrators
Identity Store
ISE
API
API
Wired
API
Access Fabric
Controller
API
control plane
data plane
27. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group Based Policy (GBP)
Web
Servers
web-1 web-2 web-n
ā¦
ā¦
Clients
Contract
Allow only web traffic in/out
Sessions must be logged
Violations must be inspected
ā¦.
ā¦.
ā¦.
End-Points
End-Point
Groups
providerconsumerContracts
28. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Render
ACI - Policies across operational roles
Network
VLANs, VRFs, ports
Firewalls, ACLs, SGACLs
DB Server Admin
DB
Servers
Allow
ā¦
Provide DB
traffic only
Mail Server Admin
Mail
Servers
Allow
ā¦
Provide Mail
traffic only
Consume DB
Service
Web Server Admin
Web
Servers
Allow
ā¦
Provide Web
traffic only
Consume
Mail Service
Application
Service
Infrastructure
Admin
Rendering
Policy
Consumer /
App Developer
I have a new Web Based
Mail App. This service
provides all I need
29. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant-A
Private Network-1
Bridge
Domain-1
ACI Segmentation
Subnet-1
Customer /
Group / BU
Routing Table
VRF
L2 Boundary
IP Space(s)
Groups of
end points
Tenant-B
Private Network-2
Bridge
Domain-2
Bridge
Domain-3
Bridge
Domain-4
Subnet-2 Subnet-3
Subnet-4
Subnet-5
EPG-A
EPG-B
EPG-C
EPG-D
EPG-E
EPG-F
Private Network-3
Bridge Domain-5
Subnet-6
Subnet-7
EPG-A
EPG-B
EPG-C
30. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Campus Fabric Segmentation
Virtual Networks (VN) and Groups
Tenant-A
Virtual Network 1
Subnet-1
Tenant-B
Virtual Network 2
SG-A
SG-B
SG-C SG-D SG-E
SG-F
Virtual Network 3
SG-A
SG-B
SG-C
Subnet-2
Subnet-3
Subnet-4
Subnet-5
Subnet-6
Subnet-7
Customer /
Group / BU
Routing Table
VRF
IP Space(s)
Groups of
end points
31. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI
ACI and DNA Campus Fabric Segmentation
End-Point Groups (EPG)
Bound to a Bridge Domain (BD)
Subnets are also bound to BDs
Virtual Networks (VN) and Groups
Tenant-A
Private Network-1
Bridge
Domain-1
Subnet-1
Tenant-B
Private Network-2
Bridge
Domain-2
Bridge
Domain-3
Bridge
Domain-4
Subnet-2 Subnet-3
Subnet-4
Subnet-5
EPG
-A
EPG
-B
EPG
-C EPG
-D
EPG
-E
EPG
-F
Private Network-3
Bridge
Domain-5
Subnet-6
Subnet-7
EPG
-A
EPG
-B
EPG
-C
DNA Fabric
Secure Groups (SG)
Independent of subnet and BD
May exist in one VN or many (VN agnostic)
Tenant-A
Virtual Network 1
Subnet-1
Tenant-B
Virtual Network 2
SG-A
SG-B
SG-C
SG-D SG-E
SG-F
Virtual Network 3
SG-A
SG-B
SG-C
Subnet-2
Subnet-3
Subnet-4
Subnet-5
Subnet-6
Subnet-7
32. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Federated Identity
Independent Policies with Cross Domain Group awareness
Exchange Policy Groups
User-User
Access Control: SG-ACL
User-App
Application Prioritization
DB
App1 DBWeb1 Qo
SFilt
er
Qo
SSe
rvi
ce
App to App Contracts
User to App Contracts
C
Web
Web
DB
Web
DB
33. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Goal: Federated Policy across domains
DNA Campus / Branch
DNA Policy Domain
Exchange Complete
Policy
User-User
Access Control: SG-ACL
Trustsec Domain
Trustsec Policy Domain
User-App
Application Prioritization
DB
App1 DBWeb1 Qo
SFilt
er
Qo
SSe
rvi
ce
App to App Contracts
User to App Contracts
C
Web
Data Center
ACI Policy Domain
34. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
35. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Network
ACI COOP FabricDNA LISP Network
Border
BGP-EVPNLISPCONTROL-PLANE
Border
COOP
VXLAN+EPGVXLAN/LISP+SGT
DATA-PLANE
HOST-H1
HOST-H2
Control and Data Plane Interworking
Propagate reachability and segmentation across domains
Spine
Spine
Map Server
36. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN/Campus
Ā§ Similar problem scale to DNS
ā¢ Leverage demand based protocols
Ā§ A directory of hosts
ā¢ Location as well as policy
ā¢ Location != Routing
Ā§ Keep routing lean
ā¢ Move all host state to LISP directory
Ā§ Minimize state on the routers and
switches (cache on demand)
Branch/
Closet
LISP XTR
DC 1 DC 2
LISP Host
directory
Handling Host State at Large Scale with LISP
37. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Locator / ID Separation Protocol
Location and Identity Separation
IP core
Device IPv4 or IPv6
Address represents both
Identity and Location
Traditional Behavior -
Location + ID are āCombinedā
10.1.0.1
When the Device moves, it gets a
new IPv4 or IPv6 Address for its new
Identity and Location
20.2.0.9
Device IPv4 or IPv6
Address represents
Identity only
When the Device moves, it keeps
the same IPv4 or IPv6 Address.
It has the Same Identity
Overlay Behavior -
Location & ID are āSeparatedā
IP core
Only the Location Changes
10.1.0.1
10.1.0.1
Location Is Here
38. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
LISP āMapping Systemā is analogous to a DNS lookup
ā DNS resolves IP Addresses for queried Name Answers the āWHO ISā question
ā LISP resolves Locators for queried Identities Answers the āWHERE ISā question
Host
DNS
Name -to- IP
URL Resolution
[ Who is lisp.cisco.com ] ?
DNS
Server
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]
LISP
ID -to- Locator
Map Resolution
LISP
Router
LISP Map
System
[ Where is 2610:D0:110C:1::3 ] ?
[ Locator is 128.107.81.169, 128.107.81.170 ]
Locator / ID Separation Protocol
LISP Mapping System
39. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Branch
IP Network
1.1.1.1
10.1.0.0/24
ITRS
DNS Entry:
D.abc.com A 10.2.0.1
1
10.1.0.1 Ć 10.2.0.1
2
Path Preference
Controlled
by Destination Site
10.1.0.1 Ć 10.2.0.1
1.1.1.1 Ć 2.1.1.1
4
Locator / ID Separation Protocol
How does LISP operate?
Mapping
System
5.1.1.1
5.3.3.3
5.2.2.2
Non-LISP Non-LISP
PXTR
EID-prefix: 10.2.0.0/24
Locator-set:
2.1.1.1, priority: 1, weight: 50 (D1)
2.1.2.1, priority: 1, weight: 50 (D2)
Mapping
Entry
3
ETR
10.2.0.0/24
Campus
D
2.1.1.1 2.1.2.1
DC
10.3.0.0/24
3.1.1.1 3.1.2.1ETR
10.1.0.1 Ć 10.2.0.1
5
40. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
COOP ā Council of Oracles Protocol
BRKACI-2303 40
Council of Oracle Protocol (COOP) is used to
communicate the mapping information (location and
identity) to the spine proxy.
Citizens register their directly connected hosts with
their Oracle
Oracles stay in sync using the COO Protocol
Citizens will send traffic for unknown destinations to
an Oracle
The Oracle forwards the traffic to the Citizen which
registered the destination host
The sending Citizen now learns the location of the
destination either from Oracle signaling or return
traffic
Oracle Oracle Oracle Oracle
Citizen Citizen Citizen Citizen Citizen Citizen
Council of Oracle
41. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI and Campus Fabrics Integrated VXLAN Overlay
ā¢ Decoupled Identity, Location and Policy
ACI Fabric
ACI Leaf Nodes
ACI Spine Nodes
VTEP VXLAN PayloadIP
Ā§ Forwarding within the Fabric is between VTEPs (ACI VXLAN tunnel endpoints) and leverages an
extended VXLAN header format referred to as the ACI VXLAN policy header
Ā§ Any workload any where, Consistent Latency, Mapping of tenant MAC or Ip address to location is
performed by VTEP using distributed mapping database
BRKACI-2400 41
42. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN Ā§ Connect an ACI Fabric to the external L3
domain (no support for L2 GOLF with ACI)
WAN Edge devices functionally behave as ACI āborder leafsā
Control plane and data plane scale
OpFlex for automating the exchange of config parameters
(VRF names, BGP Route-Targets, etc.)
Ā§ MP-BGP EVPN control plane between ACI
spine and WAN Edge routers
Ā§ VXLAN data plane between ACI spine and
WAN Edge routers
Ā§ Consistent policy (Drop/No-Drop, PBR, Copy
Services, etc.) for north-south traffic applied at
ACI leaf (both ingress and egress directions)
GOLF Routers
MP-BGP
EVPN
VXLAN Data Plane
= VXLAN Encap/Decap
Layer 3 EVPN Services for Fabric WAN
āGOLFā Design (ACI 2.0 Release)
OpFlex
L3Out at spines
(āinfraā Tenant)
43. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Fabric to ACI
Campus Fabric Border connectivity with ACI Fabric
IP Network
MP-BGP ā EVPN
Trusted
VXLAN EPG
SGT-EPG
Translation
VXLAN SGT
MS/MR
C
E E E
Control
Plane
Data Plane ACI ASR1K N77XX/M3
BGP-EVPN VXLAN OpFlex
ā ā
LISP COOP
L3Out
EVPN
B
B
BRKACI-2400 43
44. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DC
WAN/Campus
Ā§ DC administrator responsibilities:
ā¢ Management of DC network & DC tenants
ā¢ Configure L3-Out
ā¢ Configure handoff EVPN parameters (Route-Targets)
ā¢ Configure tenant (VRF_name)
Ā§ DC administrator provides VRF_name and Route-Target
WAN Mgr
Ā§ WAN administrator responsibilities:
ā¢ Management of WAN service & DC-WAN router
ā¢ Day 0 configuration for DC handoff
ā¢ Parameterized Day 1/2 CLI Templates for DC handoff
Ā§ Day 0 configuration provides seed information for locally
derived parameters
Ā§ WAN Service provisioning may be triggered by OpFlex
events (e.g. Instantiate VRF and join MPLS VPN or
provision LISP)
OpFlex: <VRF_name, RT>
VXLAN-EVPN handoff
Administrative boundary
iVXLAN-COOPBGP/LISP-MPLS/VXLAN
Template
vrf context $vrfName
vni $include_vrfSegmentId
rd auto
address-family ipv4 unicast
address-family ipv4 unicast
route-target import $include_bgpRT_1 evpn
route-target export $include_bgpRT_1 evpn
Locally
Derived
Parameters
DC-WAN Hand-Off Automation
45. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Network
ACI FabricLISP Network
Border
BGP-EVPNLISPCONTROL-PLANE
Border
ACI
HOST-H1
HOST-H2
Failures & Changes in the ACI Fabric
External advertisements to reflect state of the ACI Fabric
Spine
Spine
Map Server
Host
advertisements
from this spine
withdrawn
Border Routing
Tables updated
to remove faulty
spine
Host reachability
from spine lost or
degraded
45BRKACI-2220
46. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Network
ACI FabricLISP Network Border
BGP-EVPNLISPCONTROL-PLANE
Border
ACI
HOST-H1
HOST-H2
Failures & Changes in the LISP Network
Dynamic redistribution of LISP state into BGP @ Border XTR
Spine
Spine
Map Server
Prefix
advertisements
from this border
withdrawn
Leaf Tables
updated to route
around failure
Border XTR
connectivity to LISP
Network degraded:
ā¢ Dynamic LISP
State updates
ā¢ Core Reachability
Tracking
Registration
State Changes
Communicated to
Border XTR
46BRKACI-2220
47. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Network
ACI COOP FabricDNA LISP Network
Border
BGP-EVPNLISPCONTROL-PLANE
Border
ACI
HOST-H1
HOST-H2
Control Plane Interworking
Propagate reachability and segmentation across domains
Spine
Spine
BGP
Adjacency
Map Server
LISP Registered Prefixes are advertised in BGP from Map-Server to Border XTR
The BGP adjacencies between Map-Server and Border XTR are monitored with BFD
Upon failure, the adjacency is broken, prefixes removed at the Border XTR and withdrawn
Fast convergence (BFD ĆØ 180ms)
47BRKACI-2220
48. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Border
User VRF
DC Domain (ACI)
EBGP
EBGP
LISP MS
LISP to BGP-EVPN dynamic route handoff
Separate Border and MS
router lisp
!
instance-id 1000
service ipv4
eid-table vrf cust1
route-export site-registrations <export registered prefixes to
the RIB>
distance site-registrations 250
exit-service-ipv4
site border
authentication-key 1
eid-record instance-id 1000 0.0.0.0/0 accept-more-specifics
eid-record instance-id 1000 72.1.0.0/24 accept-more-specifics
exit-site
!
router bgp 65002
neighbor 192.168.29.1 remote-as 65003 <peer with the border>
!
address-family vpnv4
neighbor 192.168.29.1 activate
neighbor 192.168.29.1 send-community both
neighbor 192.168.29.1 route-map tag out < tag routes to Border>
exit-address-family
!
address-family ipv4 vrf PACAF
aggregate-address 72.1.0.0 255.255.255.0 summary-only
redistribute lisp metric 10 <redistribute lisp to BGP >
exit-address-family
route-map tag permit 10 <community attribute tag>
set community 655370
router lisp
ā¦
instance-id 1000
service ipv4
eid-table vrf cust1
route-import database bgp 65003 route-map database locator-
set border <register prefixes from external BGP into LISP>
route-import map-cache bgp 65002 < install punt for LISP
prefixes>
exit-service-ipv4
exit-router-lisp
router bgp 65003
!
ā¦
address-family l2vpn evpn <peer with EVPN>
import vpnv4 unicast re-originate
neighbor 102.102.102.102 activate
neighbor 102.102.102.102 send-community both
exit-address-family
!
address-family ipv4 vrf cust1
advertise l2vpn evpn
redistribute connected
exit-address-family
!
ip community-list 1 permit 655370 < Match the community list with
the community value from MS/MR>
!
route-map database deny 10 < deny the prefixes coming from
MS/MR to be imported into database, permit rest>
match community 1
!
route-map database permit 20
49. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Border
User VRF
DC Domain (ACI)
EBGP
LISP MS
LISP to BGP-EVPN dynamic route handoff
Consolidated Border and MS router lisp
ā¦
instance-id 1000
service ipv4
eid-table vrf cust1
route-import database bgp 101 locator-set border <register prefixes from external BGP into LISP>
route-export site-registrations <export registered prefixes to the RIB>
distance site-registrations 250
map-cache site-registration <install punt adjacencies for registered LISP prefixes>
exit-service-ipv4
!
site border
authentication-key 1
eid-record instance-id 1000 0.0.0.0/0 accept-more-specifics
eid-record instance-id 1000 72.1.0.0/24 accept-more-specifics
exit-site
!
exit-router-lisp
router bgp 101
!
ā¦
address-family l2vpn evpn
import vpnv4 unicast re-originate
neighbor 102.102.102.102 activate
neighbor 102.102.102.102 send-community both
exit-address-family
!
address-family ipv4 vrf cust1
advertise l2vpn evpn
redistribute connected
redistribute lisp metric 10 <redistribute lisp installed routes to BGP>
aggregate-address 72.1.0.0 255.255.255.0 summary-only
exit-address-family
!
50. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
51. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Enabled Segmentation
Virtual Networks
Underlay Network
Virtual Networks
Outer/Transport
IP-UDP Header
Original IP Packet or L2 FrameVXLAN Header
Virtual Network Identifier (24 bits)
Group Policy Identifier (16 bits)
52. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco TrustSec
Simplified segmentation with Group Based Policy
VLAN BVLAN A
Campus Switch
DC Switch
or Firewall
Application
Servers
ISE
Enterprise
Backbone
Enforcement
Campus Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
DC switch receives policy
for only what is connected
Classification
Static or Dynamic
SGT assignments
Propagation
Carry āGroupā context
through the network
using only SGT
Enforcement
Group Based Policies
ACLs, Firewall Rules
53. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec Access Control
Consistent access governed by simplified policy
VLAN BVLAN A
Campus Switch
DC Switch
or Firewall
Application
Servers
Enterprise
Backbone
Enforcement
Campus Switch
Voice Sales Supplier Non-CompliantVoiceSalesNon-Compliant
Shared
Services
Sales Tag
Supplier Tag
Non-Compliant Tag
Users are authenticated and
authorized into end-point
groups (aka Scalable Groups)
Policy defined between
Scalable Groups
Scalable Group Tags (SGTs)
encoded in a VXLAN header
Access Policy enforced
based on SGTs
Improve access control policy
manageability and scale
User-User
Contract: SG-ACL
User-Device
Contract: SG-ACL
Group Registry
54. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Trust Security
Ingress Classification with Egress Enforcement
Egress
Enforcement
(SGACL)
Cat3850 Cat6800 Nexus 2248
WLC5508
Cat6800 Nexus 7000
User Authenticated =
Classified as Marketing (5)
FIB Lookup =
Destination MAC = SGT 20
DST: 10.1.100.52
SGT: 20
SRC: 10.1.10.220
DST: 10.1.200.100
SGT: 30
CRM
Web
DST ĆØ
ĆŖ SRC
CRM
(20)
Web
(30)
Marketing (5) Permit Deny
BYOD (7) Deny Permit
Destination Classification
CRM: SGT 20
Web: SGT 30
Enterprise
Backbone
54
Nexus 5500
SRC: 10.1.10.220
DST: 10.1.100.52
SGT: 5
5 5
55. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What are SGTs?
How do they differ from EPGs?
Ā§ SGT is a security group tag assigned to userās
or deviceās traffic in campus networks based on
their roles
Ā§ SGT is a 16 bit value that the Cisco ISE assigns
to the user or endpointās session upon login
Ā§ SGT is globally unique
Ā§EPG is end point group in ACI
fabric used to group servers that
require similar treatment of policy
Ā§EPG is hierarchical in nature
Campus Fabric ACI Fabric
BRKACI-2400 55
56. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VXLAN and GBP extensions
Ethernet in IP with a shim for scalable segmentation and policy metadata
Outer MAC Header Outer IP Header Outer UDP Header
FCS
Original Layer 2 FrameVXLAN Header
VXLAN
VXLAN-GBP
GBP = Group Based Policy
SGT = EPG
(SDA) (ACI)
57. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT & EPG Source Group
Mapping of Group Based Policy ID
Cisco Meta Data (CMD)
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
Version LengthCMD EtherType SGT Opt Type SGT Value Other CMD Options
Encrypted
Authenticated
Layer 2 SGT Frame and Cisco Meta Data Format
Outer
IP
Outer
UDP
GBP VXLAN
Outer
Ethernet
Inner
Ethernet
Payload
New
FCS
VXLAN Instance ID (VNID) M/LB/SPGroup Policy ID (SGT)Flags
8 Bytes
Inner IP
Header
Flags/DRE
Data Plane Encapsulation (GBP VXLAN)
58. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connecting Multiple Fabrics Together
Preserving Segmentation and Group Policy Semantics
59. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Fabric SGTs Provisioned in ACI
ISE dynamically provisions
SGTs and IP mappings
(SXP service) into APIC-
DC
ACIISE
Security Groups External (Outside Fabric) EPGs
Campus Fabric Domain
BRKACI-2400 59
EXT-
EPG3
EXT-
EPG1
60. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE dynamically learns
EPGs and VM Bindings
from ACI fabric ā shared to
SXP
ACI
VM1
VM25
Campus Fabric Domain
ISE
Internal (Inside Fabric) EPGsSecurity Group from APIC-DC
ACI EPGs Automatically Propagated into Campus Fabric
BRKACI-2400 60
61. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SDA ā ACI Policy Data-Plane Mapping
SDA
Domain
ACI Policy Domain
ACI Spine (N9K)
SDA Policy Domain
ISE
Auditor
10.1.10.220
PCI
10.1.100.52
SDA Border Device
(ASR 1K/N7K*)
SGT/EPG
Namespace Alignment
ACI Border Leaf
5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
#
SRC:10.1.10.220
DST: 10.1.100.52
EPG :#
EPG #
SGT # to EPG #
Translation Table
62. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Retrieves:
EPG Name: PCI EPG
EPG Binding = 10.1.100.52
Campus Fabric SGT Info Used in ACI Policies
Campus
Fabric
ACI Policy Domain
ACI Border
Leaf (N9K)
ACI Spine (N9K)
NetworkLayerControllerLayer
Plain
Ethernet
(no CMD)
Campus Fabric Policy Domain
NetworkLayerControllerLayer
ISE
ACI Leaf
(N9K)Auditor
10.1.10.220
SGT Groups available in ACI Policies
PCI
10.1.100.52
ISE Exchanges:
SGT Name: Auditor
SGT Binding = 10.1.10.220
PCI EPG
10.1.100.52EPG Name = Auditor
Groups= 10.1.10.220
Plain
Ethernet
(no CMD)
5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
17000
SRC:10.1.10.220
DST: 10.1.100.52
EPG
SRC:10.1.10.220
DST: 10.1.100.52
63. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE and APIC identity exchange
ACI Policy DomainSDA Policy Domain
Switch Router* Nexus9000 Nexus9000 ServerUser
LISP,SGT & VXLAN
Classification
SDA
ISE & APIC Exchange Groups
and Member information
ISE creates SGT to EPG
translation table
IP-ClassId, VNI bindings
Send translation table to
ASR 1K/N7K
Spine Leaf
Cisco ISE 2.1
Cisco APIC-DC
Security Groups End Point Groups
APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure
63
BGP EVPN, EPG &VXLAN
*ASR1K & N7700-M3 1HCY17
APIC-EM
IP, SGT mappings
64. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sharing Context Across the Enterprise
Campus
Fabric
Domain
ACI Policy Domain
ACI Spine (N9K)
Campus Fabric Policy Domain ISE
Auditor
10.1.10.220
PCI
10.1.100.52
Campus Fabric Border
Device
(ASR 1K/N7K*)
SGT/EPG
Namespace Alignment
5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
#
SRC:10.1.10.220
DST: 10.1.100.52
EPG :#
EPG #
SGT # to EPG #
Translation Table
* M3 Roadmap
65. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Fabric Policy Domain ACI Policy Domain
Campus to ACI Flow
SGT-EPG
VXLAN GBP
Contract Applied on Leaf
Lookup:s-class, d-class, policy
APP-EPG
Golf L3out
Target
Q2-CY17
BRKACI-2400 65
MS/MR
C
E E E
B
B
ASR1K
March 16.5.1
ā
SGT <-> EPG
translation
66. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec/ISE Policy Domain ACI Policy Domain
ACI to Campus Flow
SGT-EPG
VXLAN GBP
VzAny Contract
Permit-all or filter ports
APP-EPG
Golf L3out
Target
Q2-CY17
SGACL Policy Applied
BRKACI-2400 66
MS/MR
C
E E E
B
B
ASR1K
March 16.5.1
ā
Employee-SGT
SGT <-> EPG
translation
67. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN/Campus scope of management DC scope of management
SDA-DC Policy Driven Context Mapping
User Experience: Simply Define User-Application Relationships
Extranet Extranet provided with route leaking
VRF 2
VRF 1
VRF 2
VRF 1
VXLAN-EVPN
SGTs in VXLAN EPGs in VXLAN
User to App Contracts
C
Web
ā¢ The Policy Registry includes
VRF/Context information for each group
ā¢ The Extranet relationships may be
derived from the user-app contracts
ā¢ Extranets will be rendered automatically
in the ACI Fabric
VRF B
VRF C
VRF A
VRF D
Extranet
Extranet
69. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Ask Questions, Get Answers, Continue the Experience
Use Cisco Spark to communicate with the Speaker and fellow
participants after the session
Download the Cisco Spark app from iTunes or Google Play
1. Go to the Cisco Live Melbourne 2017 Mobile app
2. Find this session
3. Click the Spark button under Speakers in the session description
4. Enter the room, room name = BRKACI-1090
5. Join the conversation!
The Spark Room will be open for 2 weeks after Cisco Live
69
70. Ā© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
70BRKACI-1090
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco Live 2017 Cap by completing the
overall event evaluation and 5 session
evaluations.
All evaluations can be completed via
the Cisco Live Mobile App.
Caps can be collected Friday 10 March
at Registration.