cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1054
Views
5
Helpful
4
Replies

DNAC/SDA/SWIM

dmaillard
Level 1
Level 1

I just build a SD-Access fabric with two borders to go out to the DNAC and ISE through the fusion.

My DNAC v. 2.1.2.5 is configuring with 3 interfaces:

- eno1: for the gui access

- enp94s0f0 for the communication to the fabric

- enp94s0f1 for the cluster

The DNS resolves the cluster_name to the VIP of the eno1 subnet (10.10.10.10).

The DNAC default-gateway is on the eno1 network 10.10.10.1.

I add a static route to reach the Underlay fabric components Border and Edge to the enp94s0f0 network:

172.20.0.0/16 -> 10.10.11.1

 

I encounter an issue with the SWIM because the DNAC will try to communicate with the Underlay  from the VIP of the eno1.

The Underlay network is not reachable through this VIP but through the Fabric interface.

For a security reason there is no traffic from the eno1 GUI interface to the Underlay.

 

Is this a design issue ? What do you suggest to correct the situation ?

Any helps is welcome.

Thanks a lot,

Dom

4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni

Are you able to ping 10.10.11.1 from DNAC cli and see responses?  Are your underlay devices added to inventory in this range (172.20.0.0/16 )?  Double check via maglev wizard that there is not a fat finger in your static route for the underlay link.  The route should look like this on the respective interface: 172.20.0.0/255.255.0.0/10.10.11.1

Hello Mike,

 

yes my underlay devices are added in the inventory in the range of 172.20.0.0/16.

The DNAC can ping each Underlay devices through the fabric interface due to the static IP route.

In contrario the Underlay devices cannot ping the DNAC GUI IP@ 10.10.10.10 because this subnet is not learn in the fabric, just the 10.10.11.0/24 are inside the GRT.

Dom

Jonathan Cuthbert
Cisco Employee
Cisco Employee

@dmaillard wrote:

Is this a design issue ? What do you suggest to correct the situation ?

Any helps is welcome.

Thanks a lot,

Dom


This sounds like a routing configuration issue.  Conceptually, think about Cisco DNA Center as a "router" with multiple interfaces. 

To reach a destination, you search your routing table for a destination, then you egress out of a particular port. 

 

The Cisco DNA Center CLI will accept Linux "show" commands to show you the interface used to reach a destination. 

 

So for example, my fabric devices have a Loopback 0 in the 192.168.0.0/16 range and physical ports in the 10.0.0.0/8 range.


[Mon Mar 15 21:57:59 UTC] maglev@x.x.x.x (maglev-master-x-x-x-x) ~
$ ip route get 192.168.10.1
192.168.10.1 via 198.18.133.254 dev enp9s0 src 198.18.133.102
cache

[Mon Mar 15 21:58:48 UTC] maglev@x.x.x.x (maglev-master-x-x-x-x) ~
$ ip route get 10.10.12.1
10.10.12.1 via 198.18.133.254 dev enp9s0 src 198.18.133.102
cache

 As you can see, my enterprise port (enp9s0 on the 44-core appliance) is being used. 

In contrast, let's look at an internet destination.

[Mon Mar 15 22:00:18 UTC] maglev@203.0.113.102 (maglev-master-203-0-113-102) ~
$ ip route get 208.67.222.222
208.67.222.222 via 100.119.120.1 dev enp1s0f1 src 100.119.121.202
cache

Here, my cloud port (enp1s0f1 on the 44-core appliances) has the default route.  It was the interface configured with the default gateway while my Enterprise port was configured with static routes. 

 

You can use standard linux commands such as cat /etc/networking/interfaces to see what your static routes are. 
However, if you want or need to change anything, you must use the command sudo maglev-config update

While it may be technically feasible to run Linux "show" commands, Linux configuration commands are not supported. 

The DNAC can ping each Underlay devices through the fabric interface due to the static IP route. It also can ping the Internet, ISE and WLC through the GUI interface.
The Underlay devices cannot ping the DNAC GUI IP@ 10.10.10.10 because this subnet is not learn in the fabric, just the 10.10.11.0/24 are inside the GRT. To start the SWIM the DNAC want to speak with the GUI interface to the Underlay instead of the Fabric interface and sure the Underlay devices cannot reply to the DNAC.
Dom

Review Cisco Networking for a $25 gift card