cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6977
Views
55
Helpful
13
Replies

L2 DHCP service inside SDA fabric

Hi,

 

We are evaluating the SDA DNA Center solution to migrate an old Cisco devices network to a new Cisco SDA network. One of the critical services that are currently running inside the network use L2 ARP flooding traffic to discover and operate special devices and also to give DHCP IP Adressses. We don't know which IP addresses works inside this L2 network and we need to be sure that this service will operate inside the SDA campus without having to know the IP range that are configured. Take in mind that the endpoints will be connected to differents edge nodes.

 

Kind regards and thanks in advance,

 

Joel

1 Accepted Solution

Accepted Solutions

jedolphi
Cisco Employee
Cisco Employee

Hi Joel, we do have a Limited Availability feature that might help in this scenario. The feature is called "L2VN" which is essence is a VLAN on the SD-Access fabric - no SVI (gateway), no DHCP helper and L2 flooding. L2VN is not ready for general consumption yet but can be used with Cisco BU approval. You would need to talk to your Cisco SE/AM/CX contact about how to access the feature and access support for it. Best regards, Jerome

View solution in original post

13 Replies 13

Hi Joel

u might already found the A on your Q. but just for the case: SDA promises it can support L2 flooding across stretched BD (still refers there to n IP-pool though which may mean u still need to provide some value there -  i'm not able to check it):

https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/guide-c07-741859.html#_Toc2934401 (Layer 2 flood)

good luck

@JL421-Retired 

i understand Joel's requirement exactly like it's described at above reference (moreover, his case is not something extraordinary/exotic to be ignored in the solutions like SDA :0). Other words: i'm pretty sure what Cisco described with Layer 2 flooding within SDA will do what he need (inc. flooding DHCP which is broadcast mentioned in the article)

It does not, I have tested that multiple times and the current implementation of L2 flooding with a standard SDA deployment does not pass DHCP Offers sourced within the VN between devices. It may function if you disable DHCP snooping the VLAN that has L2 flooding enabled, which I believe you'd have to do as you cannot trust a LISP interface for DHCP snooping.

ok. even assuming that you have configured all stuff properly DHCP-snooping interference is quite possible. But what happens with endpoints from the CLI diagnosis perspective in your environment? endpoints r authorized on the LAN (meaning u have NAC and/or some open mode enforced)? their DHCPDISCOVERs reaches their FEs?  any debugs/packet capturing to track DHCP-flows?

In my testing, DHCPDISCOVERS were not forwarded between FEs. If the DHCP server was located on the same FE as a client, the entire process worked as expected. I did not test disabling DHCP snooping, but given that changes to a fabric network could change a VLAN ID, or reenable DHCP snooping, the added complexity of documenting a non-recommended modification and training staff on it wasn't worth it and the server was moved outside of the fabric.

JL421-Retired
Level 1
Level 1

L2 flooding will work, but DHCP will not be passed within the the fabric. There may be a workaround, but you won't be running in a supported scenario and it is likely to break.

 

You'll need to put your DHCP servers outside the fabric if you want stability.

can u try to disable DHCP-snooping on the target VXLAN?

You can do this as an experiment, but, nobody should not be modifying the SD-Access configuration automatically pushed by DNA Center - TAC and Cisco will not support this action in a production network environment. Also please note that DNA Center could re-add the DHCP snooping later. I suggest these two actions please:

1. Make sure the L2 flooding is working properly - do other broadcasts that are not DHCP get flooded within the same IP pool?

2. Talk to sales team about getting early access to the L2VN feature I mentioned earlier - this feature has no SVI in fabric and has no DHCP snooping enabled.

Cheers! Jerome

jedolphi
Cisco Employee
Cisco Employee

Hi Joel, we do have a Limited Availability feature that might help in this scenario. The feature is called "L2VN" which is essence is a VLAN on the SD-Access fabric - no SVI (gateway), no DHCP helper and L2 flooding. L2VN is not ready for general consumption yet but can be used with Cisco BU approval. You would need to talk to your Cisco SE/AM/CX contact about how to access the feature and access support for it. Best regards, Jerome

Hi Jerome,

 

Do you have more information regarding the L2VN feature?? Do you know when will it be released and which will be the requirements?

 

Kind regards,

 

Joel

Hi Joel, Q3 this year is the current plan. Please don't take that as a commitment but rather a rough estimate. Features can slip. Regarding specific details on requirements and caveats, please talk to your Cisco sales representative. Cheers, Jerome

Hi Jerome,

 

Whats the difference with the L2VNI feature that will be available in Q3 with the currently availale feature in DNAC 2.1.2.X today? Looking at our production DNAC 2.1.2.6 deployment, we have the Layer 2 option available when adding a segement to the fabric. I have tested and this provisions a VLAN within the fabric with no Anycast SVI, enables L2 flooding and disables DHCP snooping. Is this the same feature? Is it just support that is not fully available yet?

 

L2VNI.png

Q3 (estimated) L2VN feature is an enhancement on the "Layer-2 only" pool you have screen captured. If you check the info bubble next to L2 only it should give an appropriate warning along the lines of "don't use this feature without Cisco SME interlock". In other words, L2 only in 2.1.2.x code is not ready for General Availability - it does have some non-trivial caveats and is not (or at least should not!) documented anywhere on Cisco.com. The Q3 version of this will be enhanced to accommodate more use cases, should be Generally Available, and the supported use cases and caveats will be documented publicly. I know that's not a comprehensive answer - for any further detail please talk to your sales team - I cannot commit specific roadmap details on a public forum. Cheers! Jerome