Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5819
Views
3
Helpful
1
Comments

Layer 2 Virtual Networks with Gateway Outside of Fabric

kadsteph
Cisco Employee
Cisco Employee

‎06-21-2023 10:39 AM - edited ‎08-21-2023 09:22 AM

 

Layer2VirtualNetwork.png

 

Layer 2 VNIs

Traditionally in Cisco's SD-Access, endpoints that send non-local traffic, AKA traffic that has a destination for a remote subnet, are going to send this traffic to a distributed Layer 3 Anycast Gateway - which is present on all the Edge Nodes in a given Fabric Site. An L3 Anycast Gateway is a common gateway that is used at every Edge Node that shares a common EID (Endpoint Identifier) subnet and provides optimal forwarding and mobility across different RLOCS (Routing Locators). On the Edge Nodes, the anycast gateway is instantiated as an SVI (Switched Virtual Identifier) with a hard-coded MAC address that is uniform across all Edge Nodes within a Fabric Site. Getting this data ready to be sent to an external destination, the Edge Node is then responsible for forwarding traffic to the appropriate routed destination after performing a destination lookup via LISP (Locator/ID Separation Protocol).

What if we just need to get connected to the network without the hassle of IP addressing? If we are coming in with devices that already have our VLAN configurations, SVI gateways, etc. present and we need them intact, what are our options? We just need network connectivity. The Layer 2 Virtual Network service enables Cisco's SD-Access to provide pure Layer 2 connectivity between wired, wireless, and virtual endpoints with no Layer 3 Anycast Gateway required in the Fabric Site.

VLAN Based L2 VNIs (Layer 2 Virtual Network Identifier) are used to identify and differentiate virtual networks at Layer 2. This feature assigns a unique identifier, to each virtual network within the SD-Access fabric and allows multiple virtual networks to coexist and be securely isolated from one another while utilizing the same underlay. This of course becomes useful when multiple tenants or applications must live in the same environment but not overlap with one another. Traffic can be logically separated, policies can be applied at a granular level, and network services can be delivered more efficiently.

This L2VNI is analogous to a VLAN in a traditional non-SD-Access/fabric network. To phrase differently, Layer 2 overlays are identified with a VLAN to VNI correlation (L2VNI), unlike Layer 3 overlays that are identified with a VRF to VNI correlation (L3VNI). The Layer 3 VNI maps to a virtual routing and forwarding (VRF) instance for Layer 3 overlays, whereas a Layer 2 VNI maps to a VLAN broadcast domain. Both provide the mechanism to isolate the data and control plane to each individual virtual network. The respective SGTs carry group membership information of users and provides data plane segmentation inside the virtualized network. When you deploy a L3 Virtual Network however, you do not have the flexibility of using your own gateways and must use VRF routing capabilities. Although this method fine and scalable, sometimes we need less complexity to achieve similar outcomes - strictly using Layer 2 Virtual Networks. 

 

The Bottom Line: L3VNI and L2VNI Differences

Layer 3 VNIs:

  • Layer 3 VNIs are associated with routing functionalities (OSPF, BGP, etc.) and are operational at the network layer (layer 3) of the OSI model.
  • Enable the creation of Layer 3 Virtual Networks, analogous with VRFs, that are capable of routing traffic between different subnets or IP networks.
  • Used for segmentation between subnets or IP networks.
  • When creating a Layer 3 Virtual Network in Cisco DNA Center, Cisco DNA Center push both Layer 3 VNIs and Layer 2 VNIs to the fabric devices in the respective Fabric Site. 

 

Layer 2 VNIs:

  • Layer 2 VNIs are operational at the data link layer (layer 2) of the OSI model.
  • Enable the creation of Layer 2 Virtual Networks, analogous to VLANs, that allow devices to communicate within the same L2VN as if they were a part of the same physical switch.
  • Used for segmentation within a subnet or IP network.
  • When creating a Layer 3 Virtual Network in Cisco DNA Center, Cisco DNA Center push only Layer 2 VNIs to the fabric devices in the respective Fabric Site. 

 

Screenshot 2023-06-20 150335_2.png

 

Use-Case Scenario: New Tenants in Building

We want to have the ability, the option, the flexibility, to be able to connect to a non-fabric gateway when needed. Whether it's a wired endpoint, wireless endpoint, or a virtual endpoint, there are data types that may be of interest to send out, externally, to a gateway that is located outside of the Fabric Site.

For instance, getting new tenants and guests onto the network when an office building opens to new tenancy shouldn't have to be complicated. If the building's owner/administrator has Cisco's SD-Access fabric already in place, the new tenants can bring their equipment over, with their IP addressing that's been set up just the way they want, intact, and they can easily obtain access into the network. In this instance, their gateway is located outside of the fabric, and they will utilize the existing SD-Access fabric to get connectivity to the rest of their floors in their office building. Upon connecting into a fabric-enabled device (fabric Edge Node or Layer 2 Border Node), the new tenants will still maintain and preserve their VLAN configurations and will successfully be able to communicate to the rest of their network with no IP gateways needing to be present on the fabric nodes they are connected to.

What happens in the fabric when the new tenants get connected? Upon completion of the Layer 2 Virtual Network workflow (workflow covered in the following section), the tenant's switches will be responsible for forwarding the traffic to other edge switches in their respective network and their traffic is encapsulated via VXLAN along with an associated LISP Layer 2 instance ID, and their traffic will flow through the overlay within the SD-Access fabric and decapsulated upon exit to the destination device outside of the fabric. In our scenario, an L2 VNID of 8200 is assigned to the Tenants. See the animated GIF for this scenario below:

 

 

 L2VN_GIF1.gif

 

 

The use cases do not stop there. This solution spans across industry verticals and will facilitate non-fabric devices needing connectivity via the SD-Access fabric that is in place - keeping the big picture of macro-segmentation, assurance, and automation in mind without the need for IP gateways to be present on the fabric-enabled devices you are connecting to.

There will be scenarios where we want the gateway(s) to be on a firewall(s), so traffic can be inspected on the firewall(s). If the firewall is external to the fabric, we can, again, use our Layer 2 Virtual Network to extend the Layer 2 connectivity to the firewall(s).  See the animated GIF for this scenario below:

 

L2VN_GIF2.gif

 

 

How To Set Up Layer 2 Virtual Networks in Cisco DNA Center

Keep in mind that Layer 2 Virtual Networks created in the following workflow do not use Fabric Anycast Gateways, and their gateway must be configured outside of the Fabric.

Let's set up the Layer 2 Virtual Network feature. The following steps take place in Cisco DNA Center (ver. 2.3.5.x):

On the Cisco DNA Center dashboard, navigate to the hamburger menu and navigate to Provision > SD-Access > Virtual Networks.

 

Workflow_1.png

 

Next, click on the number above Layer 3 Virtual Networks and this will take you to the page where you will be able to create Layer 3 and Layer 2 Virtual Networks. If you already have a Layer 2 Virtual Network created, you can click on the number above Layer 2 Virtual Networks to get you where you need to be.

 

Workflow_2.png

 

Click on the Layer 2 tab then navigate to, and click on, Create Layer 2 Virtual Networks.

 

Workflow_3.png

 

Click on Let's Do It. This will initiate the beginning of the Create Layer 2 Virtual Networks Workflow.

 

Workflow_3a.png

 

Under "Configuration Attributes", give your VLAN a name, and select Data as the Traffic Type. Enable "Fabric-Enabled Wireless" if you plan on the ability to associate a Fabric SSID with your VLAN. Press Next.

 

Workflow_4.png

 

Under "Associated Fabric Sites and Fabric Zones", select the Fabric Site you would like to associate with your L2 Virtual Network. Press Next.

 

Workflow_5.png

 

 

Our Summary page will show us all the selections we just made for our Layer 2 Virtual Network. If we are satisfied with our selections, we will click on Create and then Deploy on the next screen.

 

Workflow_6.png

 

 

Workflow_7.png

 

After processing, we will get a success message stating that our L2 Virtual Network has been successfully created and deployed. To further inspect the VLAN we just created, click on "View Layer 2 Virtual Networks".

 

Workflow_8.png

 

To be able to view the following screen, you must enable the "Preview New SD-Access - BETA" button on the top right-hand corner.

On the Layer 2 Virtual Networks screen, we can view the VLAN we just created, the VNID (Virtual Network Identifier), the associated VLAN ID, and other settings we configured in the Layer 2 Virtual Network workflow.

 

Workflow_9.png

 

 

The following are code blocks of what happens on the fabric devices, located in the respective Fabric Site where the Layer 2 Virtual network is active, after the workflow has completed:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

%HA_EM-6-LOG: catchall: configure terminal
%HA_EM-6-LOG: catchall: no ipv6 mld snooping vlan 1029
%HA_EM-6-LOG: catchall: no ip igmp snooping vlan 1029
%HA_EM-6-LOG: catchall: cts role-based enforcement vlan-list 1029
%HA_EM-6-LOG: catchall: vlan 1029
%HA_EM-6-LOG: catchall: name Tenant_VLAN1029
%HA_EM-6-LOG: catchall: exit
%HA_EM-6-LOG: catchall: router lisp
%HA_EM-6-LOG: catchall: service ipv4
%HA_EM-6-LOG: catchall: etr map-server 10.10.10.14 key 7 08731F1B5B1A071341580E05737F777B35
%HA_EM-6-LOG: catchall: etr map-server 10.10.10.15 key 7 040958535D224E4A5A4A07164B5F5F572C
%HA_EM-6-LOG: catchall: etr map-server 10.10.10.14 proxy-reply
%HA_EM-6-LOG: catchall: etr map-server 10.10.10.15 proxy-reply
%HA_EM-6-LOG: catchall: instance-id-range 8200 override
%HA_EM-6-LOG: catchall: remote-rloc-probe on-route-change
%HA_EM-6-LOG: catchall: service ethernet
%HA_EM-6-LOG: catchall: eid-table vlan 1029
%HA_EM-6-LOG: catchall: database-mapping mac locator-set rloc_c4f83272-4616-4c0b-834f-ea806d5818db
%HA_EM-6-LOG: catchall: instance-id 8200
%HA_EM-6-LOG: catchall: service ethernet
%HA_EM-6-LOG: catchall: eid-table vlan 1029
%HA_EM-6-LOG: catchall: broadcast-underlay 239.0.17.1
%HA_EM-6-LOG: catchall: flood arp-nd
%HA_EM-6-LOG: catchall: flood unknown-unicast
%HA_EM-6-LOG: catchall: exit-service-ethernet
%HA_EM-6-LOG: catchall: remote-rloc-probe on-route-change
%HA_EM-6-LOG: catchall: exit-instance-id
%HA_EM-6-LOG: catchall: instance-id 8200
%HA_EM-6-LOG: catchall: service ethernet
%HA_EM-6-LOG: catchall: eid-table vlan 1029
%HA_EM-6-LOG: catchall: broadcast-underlay 239.0.17.1
%HA_EM-6-LOG: catchall: flood arp-nd
%HA_EM-6-LOG: catchall: flood unknown-unicast
%HA_EM-6-LOG: catchall: exit-service-ethernet
%HA_EM-6-LOG: catchall: remote-rloc-probe on-route-change
%HA_EM-6-LOG: catchall: exit-instance-id
%SYS-5-CONFIG_I: Configured from console by netadmin on vty0 (10.1.200.52)
%HA_EM-6-LOG: catchall: end
%HA_EM-6-LOG: catchall: write memory
%LINEPROTO-5-UPDOWN: Line protocol on Interface L2LISP0, changed state to up
Edge_Node1#show ip int br | inc LISP
L2LISP0                10.10.10.20     YES unset  up                    up
L2LISP0.8200           10.10.10.20     YES unset  up                    up
LISP0                  unassigned      YES unset  up                    up
Edge_Node1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Ap1/0/1
70   VLAN0070                         active
80   VLAN0080                         active
200  VLAN0200                         active    Gi1/0/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
1029 Tenant_VLAN1029                  active    L2LI0:8200,
2046 VOICE_VLAN                       active
Edge_Node1#show run | sec instance-id
 instance-id 8200
  remote-rloc-probe on-route-change
  service ethernet
   eid-table vlan 1029
   broadcast-underlay 239.0.17.1
   flood arp-nd
   flood unknown-unicast
   database-mapping mac locator-set rloc_c4f83272-4616-4c0b-834f-ea806d5818db
   exit-service-ethernet
  !
  exit-instance-id

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Helpful Notes

  • Layer 2 Flooding will be automatically enabled for each Layer 2 Virtual Network. Each network segment with Layer 2 Flooding Enabled should be sized to incorporate the impacts Broadcast, Unknown Unicast and Multicast flooding within the Fabric Site.
  • L2 flooding in overlay requires ASM (Any-source multicast) in underlay.
  • If VLAN-Based L2VNI requires connectivity to endpoints external to fabric, then use Layer 2 Border handoff automation or use an Edge Node (FE/EN/PEN) “Trunk” port.
  • With L2VNI, we have decoupled VLAN, and IP Pool binding and user do not need an IP pool to create L2VNI.

 

Considerations for your Deployment

  • The Fabric Site must be deployed as one of the following:
    1. All Catalyst 9000 Series Switches.
    2. Catalyst 9000 Series Switches as Edge Nodes and the Layer 3 Border Node as an ISR 4000 Series or ASR 1000 or Catalyst 8000 Series Routers.
    3. Catalyst 9000 Series Switches as Edge Nodes and Border Nodes and the Control Plane Node as an ISR 4000 Series or ASR 1000 Series Routers or Catalyst 8000 Series Routers.
    4. If using option 2 or option 3, the Layer 2 Handoff must be on a Catalyst 9000 Series switch that supports that functionality (no 9200/L).
  • If Layer 2 handoff is required on a fabric border, then we strongly recommend using a dedicated border for Layer 2 handoff.
    • It is possible to collocate Layer 2 and Layer 3 handoff on same border, but it is not recommended.
  • SGT assignment and policy are supported for Layer 2 Virtual Networks.
  • FEW + L2VN requires 9800 WLC.
    • For wired hosts, minimum DNAC version is 2.3.3.x 
    • For wireless hosts, minimum DNAC version is 2.3.5.x
    • Layer 2 Virtual Network doesn’t support overlapping subnets on wireless across different layer 2 instances.

 

Helpful Resources

YouTube Video for Layer 2 Virtual Networks with Gateway Outside of Fabric (Coming Soon)
Cisco SD-Access Solution Design Guide
Cisco SD-Access Fabric Resources
Cisco SD-Access YouTube Channel
Cisco SD-Access Compatibility Matrix
Cisco Catalyst Center Compatibility Matrix

 

 

Featured Speaker
01-kadsteph-mauricio-palomar.jpg

 

 
 
 
 
 
 
 
 
Kadin Stephens is a Technical Marketing Engineer currently on the Software-Defined Access (SDA) Solution Team. He holds a Bachelor’s degree in Electrical Engineering from California Polytechnic State University, San Luis Obispo, and is CCNA certified (CSCO14045242).
Comments
Tyler Langston
Cisco Employee
Cisco Employee
‎06-21-2023 10:54 AM

Comments on this article have been closed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents