cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
730
Views
0
Helpful
1
Replies
AndiBuchmann157
Beginner

[SDA][DESIGN] Question regarding SD-A Design / Deployment

Dear community,

 

I would like to hear your opinions (or a few questions) regarding some design / implementation points, please see the attached images below for more information. I already checked the CVDs and other PDFs around but still got some questions.

 

General topics regarding current state:

- in the exisiting deployment Macmon is used for 802.1X authentication for all wireless and wired clients (outside the fabric)

- today the complete Routing is done on the core area (which consist of six stacked 3Com switches)

- the SAN is connected via two SG500X to the core area

- the ESXi cluster is directly connected to the core area

 

Now my 2 cents regarding the future / transit state or with other words: this is how i would implement / migrate everything:


Routing:

 

I would move the whole routing to the fusion device for overall simplification and the plan is to remove the old core switches in the near future.

 

--> Would you say: "yay great idea" or rather "pls dont." ?

 

In this case the fusion device may not be the single point if failure --> a redundancy of the FD needs to be created, e.g. the implementation of a second FD.

 

--> How could this redundancy be achived ? I am thinking of a stackable Catalyst device with LACP's connecting to the Border Nodes?

 

WLAN:

 

IMO the exisiting (Third Party) WIFI Infrastructure should be moved from the core to the FD. In the future the exisiting WIFI equipment will be replaced by DNA enabled components. Also remember the planned remove of the old existing core hardware.

 

--> Yay or nay?


SAN + ESXi cluster:

As far as i know it is not support or reccomend to connect the SAN and ESXi directly to the fabric (or the border devices). This stuff should be connected to / via the FD. Best case ist also not to use SG500X for this stuff because of no redudant PSU, etc.

 

--> Am i wrong with the statement above and what would you reccomend?

--> Leave SAN + ESXi on the core area an then to the FD or connect it directly to Fusion Device?

Branches + Transit:

 

All in all 5 branch offices need to connected to the new network. This is done via some routers VPN, Etherconnect and dark fiber connections. The equipment in the branch office will also be replaced by Cat9k devices in near futures. So it could be a great thing to extend the fabric out there when the new components are there in some time.


--> Leave the routers connectin to the branches or to the core or move also to the FD?
--> What kind of transit should be used at this later point when the fabric is extend? An IP Transit or SD-A Transit


Current state:

 

Ist_Plan_zensiert.png

 

Transit / Future State:

 

Transit_Soll_Plan_zensiert.png

 

 

 

 

 

1 REPLY 1
ammahend
Contributor

I would move the whole routing to the fusion device for overall simplification and the plan is to remove the old core switches in the near future.

My Comment - Yes, all routes on your current core should be on Fusion GLobal Routing table

 

In this case the fusion device may not be the single point if failure --> a redundancy of the FD needs to be created, e.g. the implementation of a second FD.

My Comment -  see attached document for redundant fusion set by step setup

 

 

IMO the exisiting (Third Party) WIFI Infrastructure should be moved from the core to the FD. In the future the exisiting WIFI equipment will be replaced by DNA enabled components. Also remember the planned remove of the old existing core hardware.

My Comment -  controller can exist anywhere, SD enabled APs will connect to Infra VN behind Edges, traffic is direct, if you are not sure about deploying Wireless, just plan OTT for now.

 


As far as i know it is not support or reccomend to connect the SAN and ESXi directly to the fabric (or the border devices). This stuff should be connected to / via the FD. Best case ist also not to use SG500X for this stuff because of no redudant PSU, etc.

My Comment - this will be all outside Fabric, SDA is for Access Layer only, however you will have to use SXP for building policy for access from Fabric to out side of Fabric and Block on Border or other suitable L3 device like your uplink Firewall.

 

All in all 5 branch offices need to connected to the new network. This is done via some routers VPN, Etherconnect and dark fiber connections. The equipment in the branch office will also be replaced by Cat9k devices in near futures. So it could be a great thing to extend the fabric out there when the new components are there in some time.

My Comment - we need to discuss this in more detail, I have left you a PM, feel free to reach out if you are in US.

 

Rate helpful posts

-Rate helpful posts-