Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1443
Views
0
Helpful
4
Replies

SD Access INFRA_VN and AP <-> WLC communication

muthumohan
Level 1
Level 1

‎06-14-2022 08:16 AM

Hi All,

I understand the concepts of VRFs, LISP, VxLAN etc. But while working on WLC and AP communication, I see that AP is attached to this special VN called INFRA_VN, which is associated with Global Routing Table. When I looked at VRFs, (show ip vrf command), I don't see this INFRA_VN as VRF. So, OK, this this because it uses GRT.

 

So, AP to WLC traffic flows completely via the underlay, as WLC is also reachable on the underlay (GRT). But what is confusing is the return traffic from WLC to AP is via overlay (VxLAN). Why is this? Why can't WLC to AP traffic also flow via underlay, as AP is reachable by WLC on the underlay? How WLC to AP traffic gets on to the overlay at the Border node?

 

Anyone please shed some light on this INFRA_VN. Will be much appreciated.

Thank you!

Mohan

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎06-14-2022 09:21 AM

INFRA_VN is overlay uses by default - where are you looking for this VRF :

 

check this deployment guide to get more information :

 

https://www.cisco.com/c/dam/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/deploy-guide/cisco-dna-center-sd-access-wl-dg.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Flavio Miranda
VIP
VIP

‎06-14-2022 10:16 AM

Hi

" I see that AP is attached to this special VN called INFRA_VN, which is associated with Global Routing Table. When I looked at VRFs, (show ip vrf command), I don't see this INFRA_VN as VRF."

  The Global Routing Table means the absence of VRF, that´s why you dont see VRF.

 

"So, AP to WLC traffic flows completely via the underlay, as WLC is also reachable on the underlay (GRT). But what is confusing is the return traffic from WLC to AP is via overlay (VxLAN). Why is this? Why can't WLC to AP traffic also flow via underlay, as AP is reachable by WLC on the underlay? How WLC to AP traffic gets on to the overlay at the Border node?"

 

If you are familiar with Wireless deployment, you may heard about Fleconnect more. In flexconnect more, the AP stablish a tunnel to the WLC for manament but the Clients traffic is sent out of this tunnel, on the switch directly.

The concept os VXLAN is similar.

 

"Fabric APs establish a CAPWAP control plane tunnel to the fabric WLC and join as local-mode APs. They must be directly connected to the fabric edge node or extended node switch in the fabric site. For their data plane, Fabric APs establish a VXLAN tunnel to their first-hop fabric edge switch where wireless client traffic is terminated and placed on the wired network. "

 

On this case, Data plane is where the client´s traffic will be sent usinf VXLAN and not capwap.  Basically the AP has two tunnels. One capwap tunnel for management and on VXLAN tunnel for client data traffic.

 

 

0 Helpful

muthumohan
Level 1
Level 1

‎06-16-2022 08:41 AM

Thank you Favio and Balaji for your replies. Going over the document and the inline answers helped. I now have clear understanding of INFRA_VN. As APs are part of INFRA_VN, it uses GRT to lookup first for any destination. FE will use lisp only if there is no entry in the GRT. This way, AP-WLC communication is fully within the underlay. But since AP's IP is in EID space, this IP subnet will not be in GRT, so the return traffic from WLC-AP will use Lisp/vxlan combo to deliver the packet to AP.

 

Now, this is clear, still 2 questions remain:

1. When border node tries to send map-request to CP for AP's IP, which lisp instance will it use? Because this AP can be anywhere in the fabric, how will border know which lisp instance should it use to send map-request?

 

2. What will be the SGT value in the vxLAN tunnel for traffic coming from outside the fabric, in this case WLC? If the source is within fabric, it gets SGT assigned by ISE. But for traffic originating from outside and trying to reach a destination inside the fabric, what SGT value will border use to send traffic to a destination within the fabric?

 

Thanks again for your replies. Appreciate it much!!!

Let's not stop learning

0 Helpful

Flavio Miranda
VIP
VIP
In response to muthumohan

‎06-16-2022 09:33 AM

 I´d like to say that this is a pretty new subject for everyone and is very good to discuss this an try to learn more. I myself am also find my way through this exciting technology which is SDA.

 

For you first question, I´d like to recommend this search:

 

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/tech_notes/sda_fabric_troubleshooting/b_cisco_sda_fabric_troubleshooting_guide.html 

 

Expectially this part:

 

"Resolution for a Wired Client"

 

For the second question:

"2. What will be the SGT value in the vxLAN tunnel for traffic coming from outside the fabric, in this case WLC? If the source is within fabric, it gets SGT assigned by ISE. But for traffic originating from outside and trying to reach a destination inside the fabric, what SGT value will border use to send traffic to a destination within the fabric?"

  Actually, the WLC is not outside the fabric unless we are talking about Wireless Over the Top (OTT).

The SGT is not meant to leave the fabric but all devices inside the fabric will get one SGT according to the policy definced in the DNAC.

 

 

 This material is also helpful.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-4/b_wireless_trustsec_deployment_guide.html 

 

 

0 Helpful
Customers Also Viewed These Support Documents