Cisco SDA: L2 VN

pranav nandgaonkar · ‎08-26-2022

Hello Folks,

I wanted to understand if the Layer 2 Virtual Network Feature is supported for general deployments of SDA since the L2VN tab in DNAC still says to consult Cisco before proceeding. I have a scenario where the gateway sits outside the fabric and only the Layer 2 of the VLAN has to be stretched inside the SDA fabric essentially allowing some special users of that VLAN to get access to the gateway.

jedolphi · ‎08-28-2022

Hi Pranav. It's Generally Available (GA) for SD-Access wired endpoints starting with DNA Center Release 2.3.3.x in UI2.0 (toggle "Preview New SD-Access" to on). We've updated the workflow text to remove commentary about contacting a Cisco representative and that should be visible to you in the next 2.3.3.x update. GA for wireless endpoints is being worked on now, if you need an ETA please talk to your SE or AM. Best regards, Jerome

pranav nandgaonkar · ‎09-29-2022

Thanks for the information. One additional thing to ask regarding the L2VN-> which option would be suitable in a situation where the external L3 switch has the SVI and I want to connect that switch to the Border Nodes of the Fabric. I cannot use L3 Handoff since I dont want any routing enabled and if I use L2 Handoff, it doesn't give the option to select L2VN that I can peer the external switch with. What construct I can use with respect to Borders that allows me to stretch the VLAN inside SDA using L2VN. (L3Handoff is out of the list and L2Handoff doesn't give the option for selecting L2VN). Any views on this?

jedolphi · ‎09-29-2022

Hi Pranav, it works in my lab. Are you clicking the correct link under L2HO? If it's not showing up there then please consider raising a TAC case.

pranav nandgaonkar · ‎03-27-2023

I upgraded to 2.3.3.6 and I got to know that in version 2.2.3.x , it was limited but now I am happy to see the fully stabilised version in 2.3.3.6 and later. Thanks for your help!

SDhaliwal · ‎07-13-2023

I've heard that it's not a good practice or cisco doesn't recommend using the same node to perform Layer 2 and Layer 3 handoffs. Also, What issues could it cause if we were to collocate Layer 2 and Layer 3 handoffs on the same node?

jedolphi · ‎07-13-2023

Hello SDhaliwal, regardless of SD-Access or no SD-Access, layer 2 networks are dependent on loop prevention mechanisms (STP, REP, FlexLink+, etc.) for stability, and at times these mechanisms can fail, or may be accidentally bypassed through human error. On that basis it's generally safest to separate your layer 2 handoff (L2HO) from your layer 3 handoff (L3HO). When the two are combined on the same Border Node, if there is a stability problem in the layer 2 network outside of SD-Access, then it may impact the Border Node as a whole. In other words, we generally recommend keeping L2HO and L3HO as separate to reduce the chances of stability problems cascading. That said, it is completely supported to configure L2HO and L3HO on the same Border Node if you wish to. Cheers, Jerome

SDhaliwal · ‎07-14-2023

Jedolphi,

Understood. Thank you.

It seems that the L2VN we created at primary site can't be used at other Fabric sites we have in our environment, Is that correct statement?

Regards,

S

jedolphi · ‎07-16-2023

Hi SDhaliwal, if you are asking for a single L2VN the stretches across multiple Fabric Sites then it's not encouraged, but it can be done if there's no other way. For this we need to manipulate the L2VN objects in a bit of an unusual manner, so I'd ask for you to consult with your Cisco SE or AM or CX representative please - doing this introduces several complexities that require a longer discussion about pros/cons/protocols. Your SE/AM/CX person can contact me internally if they need help. Best regards, Jerome

Roman Rodichev · ‎10-11-2023

Jedolphi,

I'm also interested in a L2VN stretch between fabrics. We know how to do L3VN anchoring between sites, but wondering how to do this with L2VN. You mentioned manipulating L2VN object? Is this something that can be done from CLI? I'm assuming they would have to be the same VNID and anchoring site would need server map pointers to anchor site. Is this something supported by Cisco yet? Are you guys planning to add this to the DNAC GUI? The use case is a guest VLAN with a firewall as a default gateway at the main site.

SDhaliwal · ‎10-19-2023

@Roman Rodichev

With help of @jedolphi and another Cisco employee, I was able to successfully extend L2VN between sites. There are few different components that involved with having MSRB node, and enabling multicast in your environment.

Roman Rodichev · ‎10-19-2023

Nice! I assume that was some manual configuration in CLI? Could you share just a small excerpt of what you changed to make it work?

jedolphi · ‎11-06-2023

All the overlay configurations for multi-site L2VN are automated by DNA Center. To make L2VN work for endpoints (ARP, etc.) we need L2F enabled (which it is by default in an L2VN, you cannot turn it off), which means we need a common underlay ASM tree between all Fabric Nodes that instantiate the multi-site L2VN. The necessary underlay ASM signalling and forwarding (inter-site PIM-SM, RP configuration, etc) needs to be done manually for the most part - outside of LAN Automation DNA Center does not configure underlay multicast. In your multi-site L2VN LISP IID you'll see an mcast group for BUM L2F, the mcast group configured in your network will need to be sent and received in underlay at all Fabric Sites instantiating the L2VN. If you have an SE then please talk to them, or raise a TAC case, or DM me and I'll try to t/shoot with you.

FABRIC_EDGE_NODE#
!
router lisp
instance-id 8188
service ethernet
broadcast-underlay 239.0.17.1 << ASM group used to flood L2VN BUM
eid-table vlan 1021 <<L2VN ACCESS VLAN ID
exit-service-ethernet
exit-router-lisp