Solved: Re: Datacenter Fabricpath Design to Migrate Legacy Network

Cardoni · ‎02-17-2018

All,

I have chalenge to migrate an old design (PCI network with a lot of firewalls) to a fabricpath. Also, I need to understand whats the best strategy to take all vlans and send to spine, that today are separate with the fws.

So, everthing that I read until now about fabricpath is to have all DC vlans in the spine. This is a big change for my topology, because ever single vlan is behind a fw with isolated bridge domain (most of the times 2960's or 4500).

The first part of this chalenge is send all this vlans (of course consistently) to a spine (N7K). In this step my question is: Is this a really good idea?

The second part, and for me the big one is: What's the best fit? Border Spine or Border Leaf? To give a little more information to answer, I have a datacenter interconnection and internet.

The things that I can't understand is how can I will work with all vlans to go out the DC, either to DCI or Internet. Because when I have a border leaf I must have to create a routing to in/out, but how? I will have the same vlans that I have in spine to border leaf? OR no, I will have another fabricpath topology with specific vlans inside de border/spine leaf?

I need help to advance/understand in this design.

Thank you everyone!

Rick1776 · ‎02-21-2018

You can keep the same design but use Fabricpath and VxLAN with Anycast Gateways that live in both DC's while you do the transition.

If you look at the following document at the section "Internal and External Routing on the Spine Layer" this should give you a good idea.

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/white-paper-c11-737022.html#_Toc447968718

View solution in original post

Rick1776 · ‎02-18-2018

I'll be honest I wouldn't look at Fabricpath but with a VXLAN BGP-EVPN based Overlay. Everything you want to accomplish VXLAN BGP-EVPN based Overlay can do.

Even if your N7K's don't support VXLAN BGP-EVPN, you can do a pair of Nexus 9300 at each side of the DCI to create the overlays. After the migration those can be used as leafs in an ACI fabric which is where you would want to migrate to after your N7K's reach end of life.

This is a good presentation on what I'm referring to.
https://www.ciscolive.com/global/on-demand-library/?search=VXLAN%20DCI&search.event=ciscolivelatam2017&search.event=ciscoliveemea2017&search.event=ciscoliveanz2017&search.event=ciscoliveus2017#/session/1485287124406001gKjC

Cardoni · ‎02-19-2018

Thank you for your response Rick1776!

In this first moment, we can´t buy anything new to the infrastructure. This is bad point... BUT, I i want to organize everthing that I could.

I will check the link that you sent to me!

Rick1776 · ‎02-19-2018

Okay, if you have to use Fabricpath with Nexus 7K's you can achieve what you want, but there are some pretty stringent requirements to run Fabricpath between two data centers with the N7K's (ASR routers don't have the same limitations)

1.) Your line cards have to support Fabricpath M3's, F1's, F2, and F3's
2.) You have to have the Enhanced Layer 2 license.
3.) You have to create a separate VDC for Fabricpath
4.) Your DCI between the two data centers has to support Jumbo frames (add 16 byte header to all frames)
5. Your DCI cannot fragment the packets between DC's.

If you meet those requirements you should be able to deploy Fabricpath

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/fabricpath/configuration/guide/b-Cisco-Nexus-7000-Series-NX-OS-FP-Configuration-Guide-6x/b-Cisco-Nexus-7000-Series-NX-OS-FP-Configuration-Guide-6x_chapter_011.html#reference_30D28...

https://www.cisco.com/c/dam/global/hr_hr/assets/ciscoconnect/2013/pdfs/Cisco_FabricPath_Technology_and_Design_Max_Ardica_Technical_Lead_Engineering.pdf

Cardoni · ‎02-21-2018

Rick1776,

I read the pdf that you sent, and I saw some details that solve part of my design "issues".

The last point that still not solve is how is the best fit of border leaf that I could adopt.

I have at least five kind of border leafs: internet, dci, acquirers, banks and partners.

This five layers is specific for each one, but I know that I could merge acquirers and banks together. My question is: Is smart to still have five layers, or is better to merge all in one, or at least merge some ones. If I choose to keep this layers.

Do you know some doc or live presentation related to border leafs? Some kind of comments about it?

Thank again.

Rick1776 · ‎02-21-2018

You can keep the same design but use Fabricpath and VxLAN with Anycast Gateways that live in both DC's while you do the transition.

If you look at the following document at the section "Internal and External Routing on the Spine Layer" this should give you a good idea.

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/white-paper-c11-737022.html#_Toc447968718

Cardoni · ‎02-22-2018

Rick1776,

Looking this image I don´t understand something. The red arrows shows how´s traffic flow, but the port-channel between this border leaf and spine could be a trunk? And I use some SVI to route the traffic that I want? Using or not vrf? My thoughts are correct?

$Description: Y:\Production\Cisco Projects\C11 Deployment Guide-White Paper\C11-737022-00\v1a 050416 0526 vinica\C11-737022-00_Cisco Data Center Spine-and-Leaf Architecture\Links\C11-737022-00_Figure07.jpg$

Thank you!