topic Re: SD-Access, VN with multiple IP pools in Software-Defined Access (SD-Access)

SD-Access, VN with multiple IP pools

GuyJCRaymakers40943 — Wed, 26 Jan 2022 15:38:01 GMT

Hi colleagues,

I was wondering whether anyone has come across the following situation, related to migration of a standard LAN to SDA.

In the traditional LAN (typical 2-tier with L3 on the core and L2 downstream on the access) there could be multiple VLANS serving the same client types on different access-switches (worst case - a VLAN per access switch). Looking at the transition to SDA, and where we can't change existing used IPs, what are the options? Any thoughts pls?

Thanks,

Guy

Re: SD-Access, VN with multiple IP pools

Scott Hodgdon — Wed, 26 Jan 2022 16:27:59 GMT

@GuyJCRaymakers40943 ,

This is a very typical request for migration where IP subnets must be both in and out of the fabric at the same time. I recommend having a look at the SD-Access Migration sessions in the Cisco Live On-Demand Library, specifically:

Real World Route/Switch to Cisco SD-Access Migration Tools and Strategies - BRKCRS-3493 Event: 2020 Digital APJC
Updated Cisco SD-Access Migration Strategies - BRKENS-2008 Event: 2021 Digital
Cisco SD-Access Integrating with Your Existing Network - BRKCRS-2812 Event: 2020 Barcelona

As far as having multiple IP Pools in the same VN, that is not a problem at all. It has been supported since Day 1 of SDA.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Re: SD-Access, VN with multiple IP pools

GuyJCRaymakers40943 — Wed, 26 Jan 2022 16:49:17 GMT

Thanks Scott,

Indeed - the multiple IP pools in a VN is OK - just having i.e. 10 IP pools for the same user community (example "employees"), not sure how to deal with that from an ISE policy point of view (authorization VLANs?). So perhaps this is more an ISE question than SD-Access...

I'll take a look at the listed CL sessions.

Cheers,

Guy

Re: SD-Access, VN with multiple IP pools

Scott Hodgdon — Wed, 26 Jan 2022 17:28:11 GMT

@GuyJCRaymakers40943 ,

Yes, ISE will assign a VLAN based on the authentication result and then that VLAN is mapped to a VN (aka VRF) on the SVI.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Re: SD-Access, VN with multiple IP pools

GuyJCRaymakers40943 — Thu, 27 Jan 2022 06:57:58 GMT

Hi Scot,

Indeed - so in the scenario where you end up, in SDA (not traditional networking), with multiple VLANS for the same user community within the same VN - how do you craft the ISE policy so that users are shared across these multiple vlans after they authenticated? That's really the scenario i'm looking into.

user "employees" and I have vlan names employee_1, employee_2, employee_3, employee_4, etc..

Best regards,

Guy

Re: SD-Access, VN with multiple IP pools

Scott Hodgdon — Thu, 27 Jan 2022 08:06:55 GMT

@GuyJCRaymakers40943 ,

In ISE there will be policy sets that will assign a VLAN based on the authentication / authorization information or perhaps even device profiling (or both). So perhaps the VN "Employees" has VLANs for HR, Sales, Engineering, Finance, IT, etc, and the employees in those groups are assigned to those VLANs when they are authenticated by ISE.

Have a look at the Policy Sets chapter at https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_segmentation.html#ID37 . If you can get yoru hands on a a demo ISE in dcloud.cisco.com or developer.cisco.com (see the sandboxes), then that will help you look at the GUI to better understand what is being discussed in the admin guide.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Re: SD-Access, VN with multiple IP pools

GuyJCRaymakers40943 — Thu, 27 Jan 2022 08:54:17 GMT

Thanks Scott,

Let me add one more layer - in my example assume all users are Engineering and they need to get "distributed" across these multiple vlans (on SDA). How would we do that in ISE?

Cheers,

Guy

Re: SD-Access, VN with multiple IP pools

Scott Hodgdon — Thu, 27 Jan 2022 11:27:06 GMT

@GuyJCRaymakers40943 ,

I do not know the inner workings of ISE (not my area of focus), so you may want to follow up with this in the ISE community. That said, the way I believe it works is to add user/device profiles to specific groups in ISE and then those groups are associated with specific policy sets.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Re: SD-Access, VN with multiple IP pools

markus.forrer — Thu, 03 Feb 2022 20:24:02 GMT

Hi Guy

You can archive that one by putting the switches into different location groups. You also have to define different AuthZ Result with the different Vlan assigned.

Then you can make policy sets based on the location of the switches.

For example if Engineer A connected to Switch in Location A he gets Engineer-VLAN-A assigned.

Re: SD-Access, VN with multiple IP pools

Andrii Oliinyk — Thu, 04 May 2023 21:21:09 GMT

if it's for specific SGT assignment u always can differentiate endpoint with specific attribute as belonging to specific ID-group :0)

does it make sense for u in your case?