This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed Campus architecture, it's components and operation.
Figure1: Illustration of Reference logical topology use-case
In the above scenario (Figure1), the user in Fabric Site1 with IP address 192.168.6.148 is trying to reach an internet destination 100.X.X.X. In this use-case, internet access for all the users in Fabric Site1 is via the Fabric Site2 Borders. This is typical user access to Internet flow in SD-Access for Distributed Campus using SD-Access Transit architecture. To arrive at the best practice recommendation, in this document the use-case would be split into as follows:
Imagine that the specific traffic flow described above is not working, however, the users in Fabric Site1 are able to access other DC/DHCP/DDI resources which are logically shown on the upper left corner in the reference topology.
After further examining the problem, it is identified that the internet traffic towards the user is getting dropped on the Fabric Site2 borders.
Figure2: Illustration of the actual data packet flow
Data Packet Flow:
Ideally, at a high-level, traffic must go over first VXLAN tunnel from Fabric Site2 Borders towards Fabric Site1 Borders, then traverse from Fabric Site1 Borders towards the Fabric Edge / Access where that specific user (192.168.6.148) is attached via another VXLAN tunnel. In this document, to keep our focus on the packet flow, the reference logical topology is further simplified as shown above (Figure2).
Now, let us examine the troubleshooting steps at a high-level during problem state. In this section, let us first ask some basic questions as below:
Is the underlay network routing between RLOC1 and RLOC2 working? Yes! Ping works!
RLOC1#ping 10.4.30.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.30.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
RLOC2#ping 10.4.30.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.30.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Since, RLOC2 is where the problem is, can we check if the overlay is fine? No! See Below
Let us examine the map-cache for the user on RLOC2
192.168.6.148/32, uptime: 00:19:28, expires: 23:40:31, via map-reply, self, complete
Locator Uptime State Pri/Wgt Encap-IID
10.4.30.10 00:19:28 route-rejec 10/10 4101
Above, see route-reject
Let us check the underlay routing again towards RLOC1 IP 10.4.30.11
RLOC2#sh ip route 10.4.30.11 % Subnet not in table
RLOC2#sh ip route <trimmed>
Gateway of last resort is 10.4.1.30 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.4.1.30, 03:42:35
Since underlay routing is working via default-route you would assume overlay would just work. Not Really! See Below
RLOC2#sh run | sec router lisp
ipv4 locator reachability exclude-default
The above CLI means that from the Fabric Site2 Border perspective, if the RLOC / Fabric Site1 Border is reachable via default route, then this would stop/prevent the packets to be encap'ed into the VXLAN tunnel
At the time of writing this document, the solution is very simple as explained in the previous section, one of the design consideration to be aware of is that the underlay routing between the Site Borders in different Fabric Sites must not be learned via DEFAULT route.
Let us fix the problem now on RLOC2; For simplicity sake and just as an example, let us use /32 route towards RLOC1
RLOC2#sh ip route 10.4.30.11 Routing entry for 10.4.30.11/32 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 10.4.1.30 Route metric is 0, traffic share count is 1 10.4.1.26 Route metric is 0, traffic share count is 1
Now, let us examine the overlay state for the user in the Fabric Site1
Hello, I have a network were all traffic should pass through a firewall (in a server) that implements some routing and filtering rules. As we can see in this picture, the server is connected to switch 3 (a layer 3 switch). To direct the traffic to th...
I have a little problem of all Routers from area 22 (Except ABR),when it try to ping something out of its area, it gets into a loop between R5 & R6 & SW5, I guess its something about the cost of them but ill be glad for people to explain what is t...
I have two Cisco C6832-X-LE connected by switch mode virtual. Both switches are currently running 6848x-ipservicesk9-mz.SPA.152-2.SY1.bin and I would like to upgrade them to c6848x-ipservicesk9-mz.SPA.155-1.SY7.bin. What I am look for is th...
Hi,I was asked to implement this: 2 firewalls HA connect to 2 Internet circuits for redundancy trough switch either catalyst or small business switch SG- 500/300/250. I dont like this not-standard setup and I'd connect firewalls directly to the ISP ...
Hi, we are trying to get visibility into traffic at our remote site using netflow on a 9500. This remote site core switch has many VLANs and attaches to many 9300 access switches via trunks. All routing for the site is on the 9500. Traffic from and t...