04-08-2020 04:22 AM
In a scenario with two VNs. VN1 with IoT devices and VN2 with Clients. Both VNs contain multiple SGTs.
I'm quite unsure about the "Best Practice" usecase regarding Fusion Routers and VNs in a Fabric.
To my understanding each time I want to connect/route traffic between two VNs I have to leave the Fabric. So I have to use a Fusion Router to complete this task.
I read that I can use a firewall or a dedicated device as a Fusion Router (or even my core switch?).
But I don't know which way I should go to connect both VNs containing IoT devices on one VN and clients on the other or is it "overkill" to use two different VNs just to seperate IoT devices and clients?
Solved! Go to Solution.
04-08-2020 08:44 AM - edited 04-08-2020 08:45 AM
As @ammahend mentioned micro-segmentation is still possible with a single VN and multiple SGTs.
-Yes.
So to my understanding connecting a second VN is more complex and requires more manual configuration (Fusion Router) but does not increase security or functionality?
-VNs completely segregate IP pools belonging to them by creating a separate virtual routing instance on your device. The same as a VRF would do. So one VN would not know about the other VN. Essentially if a host in VN1 tried to reach a host in VN2 the NADs would default route the traffic to your Fusions since you would be advertising the default route into bgp (between FRs<-->EBNs) so that each respective VN would have a default route. Then you would leak if you wish accordingly. Separate VNs do add another layer of increased security.
If I have to add hundreds of IoT devices in the future for example it would be still possible to add another VN and move all the IoT devices?
-I would not recommend going down this path. You can accomplish this, but there are several things that would need to change. Remember that within DNAC you have to assign SGTs and IP pools to VNs. This would mean that your vlan mapping auth string in your ISE authz profiles would need to be modified so that you can properly onboard hosts. Edge nodes would require re-provisioning to update vlan names, SVIs, and more than likely a few other things. Your manual bgp fusion configuration would also need to be modified. Your routing tables would have to update. The EBNs would need updated config from DNAC as well. This would definitely be a heavier lift and migration. I am sure I am missing some other items as well. Anyways, I HTH!
04-08-2020 04:59 AM
The idea of VN is equivalent to VRF, means devices in a VN will only be able to talk to devices in its own VN (VRF), unless there is a route leak between both VN (VRF).
so if you think your IOT devices has no business ever talking to clients then sure go with 2 VNs, and third will off our end be global routing table which has your dhcp, dna, ntp etc.
you can use 2 routers for redundancy as per this design guide by cisco
04-08-2020 05:15 AM
Thanks for your fast reply.
If some clients have to connect to the IoT devices to receive data etc. a single VN with a SGT (or multiple SGTs) for the IoT devices would be the better choice?
04-08-2020 06:22 AM - edited 04-08-2020 06:25 AM
if you do a single VN you can still do micro-segmentation within that VN between clients and IOT devices so you still have a sense of good segmentation, so its not that bad.
If you keep both of them in different VN, it will give you option to scale better and make more precise policy in case you add more variety of IOT devices or different user based in roles.
04-08-2020 06:44 AM
04-08-2020 08:23 AM
Until now I don't see any advantage using a separate VN for IoT devices to be honest.
As @ammahend mentioned micro-segmentation is still possible with a single VN and multiple SGTs.
So to my understanding connecting a second VN is more complex and requires more manual configuration (Fusion Router) but does not increase security or functionality?
Since I have to start from scratch I could use a single VN and multiple SGTs for segmentation (including IoT and clients).
If I have to add hundreds of IoT devices in the future for example it would be still possible to add another VN and move all the IoT devices?
04-08-2020 08:44 AM - edited 04-08-2020 08:45 AM
As @ammahend mentioned micro-segmentation is still possible with a single VN and multiple SGTs.
-Yes.
So to my understanding connecting a second VN is more complex and requires more manual configuration (Fusion Router) but does not increase security or functionality?
-VNs completely segregate IP pools belonging to them by creating a separate virtual routing instance on your device. The same as a VRF would do. So one VN would not know about the other VN. Essentially if a host in VN1 tried to reach a host in VN2 the NADs would default route the traffic to your Fusions since you would be advertising the default route into bgp (between FRs<-->EBNs) so that each respective VN would have a default route. Then you would leak if you wish accordingly. Separate VNs do add another layer of increased security.
If I have to add hundreds of IoT devices in the future for example it would be still possible to add another VN and move all the IoT devices?
-I would not recommend going down this path. You can accomplish this, but there are several things that would need to change. Remember that within DNAC you have to assign SGTs and IP pools to VNs. This would mean that your vlan mapping auth string in your ISE authz profiles would need to be modified so that you can properly onboard hosts. Edge nodes would require re-provisioning to update vlan names, SVIs, and more than likely a few other things. Your manual bgp fusion configuration would also need to be modified. Your routing tables would have to update. The EBNs would need updated config from DNAC as well. This would definitely be a heavier lift and migration. I am sure I am missing some other items as well. Anyways, I HTH!
04-08-2020 10:30 AM
Thank you very much @Mike.Cifelli I really appreciate your help!
Your answer cleared up the big questionmark I had regarding this topic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide