06-21-2023 10:39 AM - edited 08-21-2023 09:22 AM
Traditionally in Cisco's SD-Access, endpoints that send non-local traffic, AKA traffic that has a destination for a remote subnet, are going to send this traffic to a distributed Layer 3 Anycast Gateway - which is present on all the Edge Nodes in a given Fabric Site. An L3 Anycast Gateway is a common gateway that is used at every Edge Node that shares a common EID (Endpoint Identifier) subnet and provides optimal forwarding and mobility across different RLOCS (Routing Locators). On the Edge Nodes, the anycast gateway is instantiated as an SVI (Switched Virtual Identifier) with a hard-coded MAC address that is uniform across all Edge Nodes within a Fabric Site. Getting this data ready to be sent to an external destination, the Edge Node is then responsible for forwarding traffic to the appropriate routed destination after performing a destination lookup via LISP (Locator/ID Separation Protocol).
What if we just need to get connected to the network without the hassle of IP addressing? If we are coming in with devices that already have our VLAN configurations, SVI gateways, etc. present and we need them intact, what are our options? We just need network connectivity. The Layer 2 Virtual Network service enables Cisco's SD-Access to provide pure Layer 2 connectivity between wired, wireless, and virtual endpoints with no Layer 3 Anycast Gateway required in the Fabric Site.
VLAN Based L2 VNIs (Layer 2 Virtual Network Identifier) are used to identify and differentiate virtual networks at Layer 2. This feature assigns a unique identifier, to each virtual network within the SD-Access fabric and allows multiple virtual networks to coexist and be securely isolated from one another while utilizing the same underlay. This of course becomes useful when multiple tenants or applications must live in the same environment but not overlap with one another. Traffic can be logically separated, policies can be applied at a granular level, and network services can be delivered more efficiently.
This L2VNI is analogous to a VLAN in a traditional non-SD-Access/fabric network. To phrase differently, Layer 2 overlays are identified with a VLAN to VNI correlation (L2VNI), unlike Layer 3 overlays that are identified with a VRF to VNI correlation (L3VNI). The Layer 3 VNI maps to a virtual routing and forwarding (VRF) instance for Layer 3 overlays, whereas a Layer 2 VNI maps to a VLAN broadcast domain. Both provide the mechanism to isolate the data and control plane to each individual virtual network. The respective SGTs carry group membership information of users and provides data plane segmentation inside the virtualized network. When you deploy a L3 Virtual Network however, you do not have the flexibility of using your own gateways and must use VRF routing capabilities. Although this method fine and scalable, sometimes we need less complexity to achieve similar outcomes - strictly using Layer 2 Virtual Networks.
We want to have the ability, the option, the flexibility, to be able to connect to a non-fabric gateway when needed. Whether it's a wired endpoint, wireless endpoint, or a virtual endpoint, there are data types that may be of interest to send out, externally, to a gateway that is located outside of the Fabric Site.
For instance, getting new tenants and guests onto the network when an office building opens to new tenancy shouldn't have to be complicated. If the building's owner/administrator has Cisco's SD-Access fabric already in place, the new tenants can bring their equipment over, with their IP addressing that's been set up just the way they want, intact, and they can easily obtain access into the network. In this instance, their gateway is located outside of the fabric, and they will utilize the existing SD-Access fabric to get connectivity to the rest of their floors in their office building. Upon connecting into a fabric-enabled device (fabric Edge Node or Layer 2 Border Node), the new tenants will still maintain and preserve their VLAN configurations and will successfully be able to communicate to the rest of their network with no IP gateways needing to be present on the fabric nodes they are connected to.
What happens in the fabric when the new tenants get connected? Upon completion of the Layer 2 Virtual Network workflow (workflow covered in the following section), the tenant's switches will be responsible for forwarding the traffic to other edge switches in their respective network and their traffic is encapsulated via VXLAN along with an associated LISP Layer 2 instance ID, and their traffic will flow through the overlay within the SD-Access fabric and decapsulated upon exit to the destination device outside of the fabric. In our scenario, an L2 VNID of 8200 is assigned to the Tenants. See the animated GIF for this scenario below:
The use cases do not stop there. This solution spans across industry verticals and will facilitate non-fabric devices needing connectivity via the SD-Access fabric that is in place - keeping the big picture of macro-segmentation, assurance, and automation in mind without the need for IP gateways to be present on the fabric-enabled devices you are connecting to.
There will be scenarios where we want the gateway(s) to be on a firewall(s), so traffic can be inspected on the firewall(s). If the firewall is external to the fabric, we can, again, use our Layer 2 Virtual Network to extend the Layer 2 connectivity to the firewall(s). See the animated GIF for this scenario below:
Keep in mind that Layer 2 Virtual Networks created in the following workflow do not use Fabric Anycast Gateways, and their gateway must be configured outside of the Fabric.
Let's set up the Layer 2 Virtual Network feature. The following steps take place in Cisco DNA Center (ver. 2.3.5.x):
The following are code blocks of what happens on the fabric devices, located in the respective Fabric Site where the Layer 2 Virtual network is active, after the workflow has completed:
%HA_EM-6-LOG: catchall: configure terminal
%HA_EM-6-LOG: catchall: no ipv6 mld snooping vlan 1029
%HA_EM-6-LOG: catchall: no ip igmp snooping vlan 1029
%HA_EM-6-LOG: catchall: cts role-based enforcement vlan-list 1029
%HA_EM-6-LOG: catchall: vlan 1029
%HA_EM-6-LOG: catchall: name Tenant_VLAN1029
%HA_EM-6-LOG: catchall: exit
%HA_EM-6-LOG: catchall: router lisp
%HA_EM-6-LOG: catchall: service ipv4
%HA_EM-6-LOG: catchall: etr map-server 10.10.10.14 key 7 08731F1B5B1A071341580E05737F777B35
%HA_EM-6-LOG: catchall: etr map-server 10.10.10.15 key 7 040958535D224E4A5A4A07164B5F5F572C
%HA_EM-6-LOG: catchall: etr map-server 10.10.10.14 proxy-reply
%HA_EM-6-LOG: catchall: etr map-server 10.10.10.15 proxy-reply
%HA_EM-6-LOG: catchall: instance-id-range 8200 override
%HA_EM-6-LOG: catchall: remote-rloc-probe on-route-change
%HA_EM-6-LOG: catchall: service ethernet
%HA_EM-6-LOG: catchall: eid-table vlan 1029
%HA_EM-6-LOG: catchall: database-mapping mac locator-set rloc_c4f83272-4616-4c0b-834f-ea806d5818db
%HA_EM-6-LOG: catchall: instance-id 8200
%HA_EM-6-LOG: catchall: service ethernet
%HA_EM-6-LOG: catchall: eid-table vlan 1029
%HA_EM-6-LOG: catchall: broadcast-underlay 239.0.17.1
%HA_EM-6-LOG: catchall: flood arp-nd
%HA_EM-6-LOG: catchall: flood unknown-unicast
%HA_EM-6-LOG: catchall: exit-service-ethernet
%HA_EM-6-LOG: catchall: remote-rloc-probe on-route-change
%HA_EM-6-LOG: catchall: exit-instance-id
%HA_EM-6-LOG: catchall: instance-id 8200
%HA_EM-6-LOG: catchall: service ethernet
%HA_EM-6-LOG: catchall: eid-table vlan 1029
%HA_EM-6-LOG: catchall: broadcast-underlay 239.0.17.1
%HA_EM-6-LOG: catchall: flood arp-nd
%HA_EM-6-LOG: catchall: flood unknown-unicast
%HA_EM-6-LOG: catchall: exit-service-ethernet
%HA_EM-6-LOG: catchall: remote-rloc-probe on-route-change
%HA_EM-6-LOG: catchall: exit-instance-id
%SYS-5-CONFIG_I: Configured from console by netadmin on vty0 (10.1.200.52)
%HA_EM-6-LOG: catchall: end
%HA_EM-6-LOG: catchall: write memory
%LINEPROTO-5-UPDOWN: Line protocol on Interface L2LISP0, changed state to up
Edge_Node1#show ip int br | inc LISP
L2LISP0 10.10.10.20 YES unset up up
L2LISP0.8200 10.10.10.20 YES unset up up
LISP0 unassigned YES unset up up
Edge_Node1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/19, Gi1/0/20, Gi1/0/21
Gi1/0/22, Gi1/0/23, Ap1/0/1
70 VLAN0070 active
80 VLAN0080 active
200 VLAN0200 active Gi1/0/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
1029 Tenant_VLAN1029 active L2LI0:8200,
2046 VOICE_VLAN active
Edge_Node1#show run | sec instance-id
instance-id 8200
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1029
broadcast-underlay 239.0.17.1
flood arp-nd
flood unknown-unicast
database-mapping mac locator-set rloc_c4f83272-4616-4c0b-834f-ea806d5818db
exit-service-ethernet
!
exit-instance-id
YouTube Video for Layer 2 Virtual Networks with Gateway Outside of Fabric (Coming Soon)
Cisco SD-Access Solution Design Guide
Cisco SD-Access Fabric Resources
Cisco SD-Access YouTube Channel
Cisco SD-Access Compatibility Matrix
Cisco Catalyst Center Compatibility Matrix
Comments on this article have been closed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: