This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed Campus architecture, it's components and operation.
Figure1: Illustration of Reference logical topology use-case
In the above scenario (Figure1), the user in Fabric Site1 with IP address 192.168.6.148 is trying to reach an internet destination 100.X.X.X. In this use-case, internet access for all the users in Fabric Site1 is via the Fabric Site2 Borders. This is typical user access to Internet flow in SD-Access for Distributed Campus using SD-Access Transit architecture. To arrive at the best practice recommendation, in this document the use-case would be split into as follows:
Imagine that the specific traffic flow described above is not working, however, the users in Fabric Site1 are able to access other DC/DHCP/DDI resources which are logically shown on the upper left corner in the reference topology.
After further examining the problem, it is identified that the internet traffic towards the user is getting dropped on the Fabric Site2 borders.
Figure2: Illustration of the actual data packet flow
Data Packet Flow:
Ideally, at a high-level, traffic must go over first VXLAN tunnel from Fabric Site2 Borders towards Fabric Site1 Borders, then traverse from Fabric Site1 Borders towards the Fabric Edge / Access where that specific user (192.168.6.148) is attached via another VXLAN tunnel. In this document, to keep our focus on the packet flow, the reference logical topology is further simplified as shown above (Figure2).
Now, let us examine the troubleshooting steps at a high-level during problem state. In this section, let us first ask some basic questions as below:
Is the underlay network routing between RLOC1 and RLOC2 working? Yes! Ping works!
RLOC1#ping 10.4.30.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.30.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
RLOC2#ping 10.4.30.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.30.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Since, RLOC2 is where the problem is, can we check if the overlay is fine? No! See Below
Let us examine the map-cache for the user on RLOC2
192.168.6.148/32, uptime: 00:19:28, expires: 23:40:31, via map-reply, self, complete
Locator Uptime State Pri/Wgt Encap-IID
10.4.30.10 00:19:28 route-rejec 10/10 4101
Above, see route-reject
Let us check the underlay routing again towards RLOC1 IP 10.4.30.11
RLOC2#sh ip route 10.4.30.11 % Subnet not in table
RLOC2#sh ip route <trimmed>
Gateway of last resort is 10.4.1.30 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.4.1.30, 03:42:35
Since underlay routing is working via default-route you would assume overlay would just work. Not Really! See Below
RLOC2#sh run | sec router lisp
ipv4 locator reachability exclude-default
The above CLI means that from the Fabric Site2 Border perspective, if the RLOC / Fabric Site1 Border is reachable via default route, then this would stop/prevent the packets to be encap'ed into the VXLAN tunnel
At the time of writing this document, the solution is very simple as explained in the previous section, one of the design consideration to be aware of is that the underlay routing between the Site Borders in different Fabric Sites must not be learned via DEFAULT route.
Let us fix the problem now on RLOC2; For simplicity sake and just as an example, let us use /32 route towards RLOC1
RLOC2#sh ip route 10.4.30.11 Routing entry for 10.4.30.11/32 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 10.4.1.30 Route metric is 0, traffic share count is 1 10.4.1.26 Route metric is 0, traffic share count is 1
Now, let us examine the overlay state for the user in the Fabric Site1
What design is generally recommended for an office with approx 400 client devices. We have about 10 x access L2 switches (2960x) and are not sure whether to go with 1 x L3 stack (4 x 9300 switches) or maybe 2 x stacks (of 2 x 9300 switches). We are thinki...
After I create a VLAN i can no longer access the GUI.port 1 - trunk connected to routerport 2 - access, PCThe switch is connected to an Edgerouter.I'm sure it's something simple, but I'm new to VLANs and can't figure it out.
Hi Folks, I have posted my config below for a little advice/suggestions.This is 1 of 2 Cisco 887 routers which feed into a Cisco 2960 switch were I have mapped the access ports to VLANs as below. I have a few questions as I had planned to use Ether C...
Hello all. Some of my friends telling me that I am using stateless method for my Dhcp router and some of them telling me that I am using stateful method. I attached the packet tracer for references.This is the current configuration: A...
Hi Everyone, I want the centre administration & tutor computer to not be able to access the internet but can access web and file server. I have tried this coding but it doesn't work. access-list Filter1deny tcp host 2001:AAAA:BBBB...