This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed Campus architecture, it's components and operation.
Figure1: Illustration of Reference logical topology use-case
In the above scenario (Figure1), the user in Fabric Site1 with IP address 192.168.6.148 is trying to reach an internet destination 100.X.X.X. In this use-case, internet access for all the users in Fabric Site1 is via the Fabric Site2 Borders. This is typical user access to Internet flow in SD-Access for Distributed Campus using SD-Access Transit architecture. To arrive at the best practice recommendation, in this document the use-case would be split into as follows:
Imagine that the specific traffic flow described above is not working, however, the users in Fabric Site1 are able to access other DC/DHCP/DDI resources which are logically shown on the upper left corner in the reference topology.
After further examining the problem, it is identified that the internet traffic towards the user is getting dropped on the Fabric Site2 borders.
Figure2: Illustration of the actual data packet flow
Data Packet Flow:
Ideally, at a high-level, traffic must go over first VXLAN tunnel from Fabric Site2 Borders towards Fabric Site1 Borders, then traverse from Fabric Site1 Borders towards the Fabric Edge / Access where that specific user (192.168.6.148) is attached via another VXLAN tunnel. In this document, to keep our focus on the packet flow, the reference logical topology is further simplified as shown above (Figure2).
Now, let us examine the troubleshooting steps at a high-level during problem state. In this section, let us first ask some basic questions as below:
Is the underlay network routing between RLOC1 and RLOC2 working? Yes! Ping works!
RLOC1#ping 10.4.30.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.30.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
RLOC2#ping 10.4.30.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.30.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Since, RLOC2 is where the problem is, can we check if the overlay is fine? No! See Below
Let us examine the map-cache for the user on RLOC2
192.168.6.148/32, uptime: 00:19:28, expires: 23:40:31, via map-reply, self, complete
Locator Uptime State Pri/Wgt Encap-IID
10.4.30.10 00:19:28 route-rejec 10/10 4101
Above, see route-reject
Let us check the underlay routing again towards RLOC1 IP 10.4.30.11
RLOC2#sh ip route 10.4.30.11 % Subnet not in table
RLOC2#sh ip route <trimmed>
Gateway of last resort is 10.4.1.30 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.4.1.30, 03:42:35
Since underlay routing is working via default-route you would assume overlay would just work. Not Really! See Below
RLOC2#sh run | sec router lisp
ipv4 locator reachability exclude-default
The above CLI means that from the Fabric Site2 Border perspective, if the RLOC / Fabric Site1 Border is reachable via default route, then this would stop/prevent the packets to be encap'ed into the VXLAN tunnel
At the time of writing this document, the solution is very simple as explained in the previous section, one of the design consideration to be aware of is that the underlay routing between the Site Borders in different Fabric Sites must not be learned via DEFAULT route.
Let us fix the problem now on RLOC2; For simplicity sake and just as an example, let us use /32 route towards RLOC1
RLOC2#sh ip route 10.4.30.11 Routing entry for 10.4.30.11/32 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 10.4.1.30 Route metric is 0, traffic share count is 1 10.4.1.26 Route metric is 0, traffic share count is 1
Now, let us examine the overlay state for the user in the Fabric Site1
I have the attached network scenario.In the scenario, I have 2 networks 10.100.0.0/16 & 10.200.0.0/16 which has access to Internet.OSPF is used between L3#3 & R1 , L4#4 & R2. R1 & R2 is configured for source NAT to communica...
Hello folks...Looking for some help. Here is the short. Bought a 2800 router for lab setup and configured it fine for SSH connection. SSH worked perfectly. Went on to configure Router as a Lab Router with Internet access. Whi...
Hi Community, please let me know if this place is accordingly for my issue or needs to be moved. I've configured a Cisco ASA on AWS, this appliance has 3 networks ( mgmt - inside -outside ), those interfaces with source/dest check disabled...
Hi, we upgraded to a 1Gb ISP connection and discovered that our 2911-k9 does not support that throughput. This might be a dumb question (I’m a newbie), but is there an HWIC that we could add to the 2911 that would add to enable it to scale. If so, which o...
Pls, find the attached doc for reference. Pls, help me solve the questions given below.Q.1. Both router R1 and R2 are sending same traffic to R. However, I want to bias only one of them (Either R1 or R2) and receive traffic from them. From the perspective...