Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
0
Helpful
1
Replies

SD-Access Multisite IP Transit

Mohamed Haleem
Level 1
Level 1

‎09-29-2020 02:14 AM - edited ‎09-29-2020 01:07 PM

If we have for example two fabric sites site1,site2 and there is wan between the fabric sites so we will use IP-Transit at each fabric site to make all fabric sites can communicate together so from the SGT side we will use SXP protocol to exchange SGT between borders at each fabric site but what about the VN as when traffic leaves the border at each fabric site the SGT,VN information is removed from the packet and the packet forwarded as pure ip packet untill reaching the other fabric site lets say for example host at site1 will talk to host at site2 so traffic leaves site1 as pure ip packet then when packet reaches site2 at which VN the packet will join or it depends on the destination,as if this depend on destination so if host at fabric site1 at campus VN send traffic to host at fabric site2 at HR VN so they can talk to each other as there is no isolation between the two VRF or VN between the two fabric sites so we cant achieve Macro segmentation.

 

so please i have below questions.

1- how can we achieve macro segmentation at VN level or at this case there is no macro segmentation

2- we will deploy same VN at all fabric sites or we will deploy different VN at each fabric site

3- can we deploy same VN at all fabric site but at this case i think we should assign different subnet at each site.

4- can we achieve host mobility between fabric sites at this case but i think we cant as each fabric site will have different subnet so when automate the edge switch at each fabric site the same VN will have different SVI at each fabric site and when user authenticate with ISE user port will be assigned to specific vlan so it should be consistent at all fabric sites if we need host mobility.

5- if host at fabric site1 at VN campus send ping packet to host at fabric site2 at VN HR so the ping will get reply because the packets leaves the borders as pure ip packet and there is no isolation between the two VN so no segregation now can be achieved at VN level,so that is right or not

Labels:
0 Helpful
1 Reply 1

Xividar
Level 1
Level 1

‎09-29-2020 11:12 AM

Answers below, please someone correct me if my understanding is incorrect or misleading

 

1- how can we achieve macro segmentation at VN level or at this case there is no macro segmentation
The VN is nothing more than a VRF, so you will run VRF LITE between your Borders, with BGP handoff. If you have more than 2 sites, you should probably think about a Distributed Campus set-up with SDA Transit - that way, the set-up becomes a lot easier, with the only need for an IP Transit being the Border connected to your Shared Services block.

2- we will deploy same VN at all fabric sites or we will deploy different VN at each fabric site
You can run the same VNs across the fabric. But your point below is valid.

 

3- can we deploy same VN at all fabric site but at this case i think we should assign different subnet at each site.

Correct (and as above) each Fabric Site requires a unique subnet - IP Pool for each VN configured.

 

4- can we achieve host mobility between fabric sites at this case but i think we cant as each fabric site will have different subnet so when automate the edge switch at each fabric site the same VN will have different SVI at each fabric site and when user authenticate with ISE user port will be assigned to specific vlan so it should be consistent at all fabric sites if we need host mobility
As far as I understand, yes. Each client would get a new IP address based on their local AnyCast GW.

0 Helpful
Customers Also Viewed These Support Documents