Re: SDA Multi-Site

i_mohamed · ‎03-03-2022

Hello,

If we have 2 "huge" sites, each with over 3,000 switches and 1,000 Access points, and One of these sites is already running full DNA/SDA solution with DNA cluster & ISE nodes. We need to build the second site now. The two sites are connected with direct high-speed fiber links (Campus not WAN). The users can move between the two sites and should have the same access privilige.

Questions:

* What are our options for building the SDA setup at the second site?

* How can we connect them together?

* Will there be any policy synchronization/propagation from the old existing site (with its already defined policies) to the new site setup? (SGT, contracts, VNs, etc.)

* During operation: What will happen when we need to apply changes to the policies (user access priviliges, VNs, etc.)? should we apply these changes on both sides? or it will be synced?

Regards,

balaji.bandi · ‎03-03-2022

check some information here :

https://community.cisco.com/t5/software-defined-access-sd/sd-access-multi-site-deployment-ise-psn-question/m-p/4408918

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/SD-Access-Distributed-Campus-Deployment-Guide-2019JUL.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flavio Miranda · ‎03-03-2022

* What are our options for building the SDA setup at the second site?

Didn´t you have one already. Why dont you follow the same setup?

* How can we connect them together?

What? Didn´t they? You wronte: "The two sites are connected with direct high-speed fiber links (Campus not WAN)"

* Will there be any policy synchronization/propagation from the old existing site (with its already defined policies) to the new site setup? (SGT, contracts, VNs, etc.)

It depends. If you add the second site to the same DNAC, but make sure about capacity. Otherwise, you will have to crate a cluster to make this possible.

But, there is no copy/paste. You will need to create fabrics just like you did for the first site.

* During operation: What will happen when we need to apply changes to the policies (user access priviliges, VNs, etc.)? should we apply these changes on both sides? or it will be synced?

It depends a lot. Using SGT as example, yes. If you are using only one DNAC or cluster and the same ISE, then, if you add permission or delete permission this will apply to everyone on that SGT.

i_mohamed · ‎05-16-2022

Thanks for the feedback. Capacity is the big issue here. The new site size cannot be added to the existing DNA cluster. The question here: If we add new DNA Cluster, and integrate it with the same ISE cluster (after expanding it to accomodate the new site):

1- What will be the relation between the two DNA clusters?

2- will they see each other?

3- What about the policies that were already defined on the first DNAC? will it be synchronized in any way to the new one? (scalable groups, access policy, etc.).

Thanks

Flavio Miranda · ‎05-16-2022

Cisco informed some times ago a DNAC of DNAC but never released.

In my last job I used to manage 10 DNAC clusteres 1000 sites each.

But it is possible to define one cluster as the Master and all policies will be added and changed on this cluster.

However, switches configuration is performed on per cluster. Which means, if you have two cluster and switches are added to both Cluster A and B, each cluster will manage its switch, althout policies will ne manage for one cluster only.

There are goods cisco docs about HA and Disaster Recovery out there that can give you a pretty good ideia how to design Inter cluster communication.

trickyg · ‎03-04-2022

We deploy 3 Fabric all connected via links capable of running jumbo frames.Support for jumbo frames allows SGT inline tagging to be enabled on the inter site links so that a device/users assigned SGT value remains intact (the VXLAN SGT value gets added as a tag before being transmitted to another fabric).

One policy is applied to all three fabrics so no need to configure seperate policies per fabric. We deploy SGT maps on each sites border routers that are identically configured to ensure all three fabric classify the non-SDA fabric that we may need to include in policies.

This method was adopted as there are not likely to be many changes to the policies/identification of non-SDA traffic. However as your deployment is very large you may wish to distribure the SGT mappings dynamically via ISE (SXP).

The SGT inline tagging method for inter fabric traffic was simpler. We also extend Guest traffic in a seperate VRF routing instance betwen the sites using same method.

jedolphi · ‎05-16-2022

Hello i_mohamed, each type of DNA Center appliance (there are 3 types) can accommodate different scales. In your scenario it's possible that migrating to an XL appliance or a cluster of XL appliances would allow both fabric sites to be managed by a single DNA Center instance. To confirm this we would need to assess all aspects of scale e.g. number of L3VNs, endpoints, IP pools, multicast routes, unicast routes, switches, routers, APs, WLCs, etc. The DNA Center data sheet lists those scale attributes for your consideration.

Alternatively, you could investigate the multi-DNA Center to ISE. Alternatively (again) you could run two totally independent DNA Center and ISE implementations. Finding the right strategy for your specific business and technical requirements is likely to need some real-time discussions. Can I suggest please that you engage your Cisco SE or AM to discuss options and the best way forward for your specific needs?

To answer your question though, if you were to implement multi-DNA Center to ISE (and I’m not saying this is the right answer for your business, more discussion required to confirm), then yes, SGTs, SGT policy and VNs are shared/synchronized between DNA Center clusters integrated to the common ISE cluster. Some basic notes are captured here if you haven’t seen the document: http://cs.co/mdnac-to-ise

Best regards, Jerome