Solved: L3 handoff without a FusionRouter

trickyg · ‎01-15-2021

Hi

I am in the process of introducing SDA into our network and would prefer to route-leak between the VNs on the border router itself rather than handoff to the Fusion Router. I am aware of the reasons a Fusion Router is used (no automated changes can be made to the route leaking and the in-built loop prevention that BGP brings) however surely a well designed and controlled route-policy will negate these issues.

Does anyone deploy there SDA in this manner and if so any tips on route prevention?

In this particular topology use of the Fusion router would lead to inefficient paths being taken and a single point of failure as we have two cores that would be acting as Border nodes but only one Fusion Router

Jonathan Cuthbert · ‎01-15-2021

In this particular topology use of the Fusion router would lead to inefficient paths being taken and a single point of failure as we have two cores that would be acting as Border nodes but only one Fusion Router

Leaking routes on the border node is not going to fix the underlying issue here which is your topology.

It might move the route leaking responsibility to a pair of devices, but when you egress out of the fabric towards your shared services, you still have a single point of failure. It may seem like you are gaining added resilience, but you are not.

@trickyg wrote:

Hi

I am in the process of introducing SDA into our network and would prefer to route-leak between the VNs on the border router itself rather than handoff to the Fusion Router.

It is (allegedly, reportedly, though I have never tested it) technically feasible to leak routes on the border node itself. I tell you this because we are all engineers, and we figure out creative ways to do things based on the knowledge and experience and of course, information sharing. However, technically feasible ≠ supported. We support leaking routes on the an external entity. We do NOT support leaking routes on the border node itself. There are lots and lots and lots of reasons you don't want to do this beside the high degree of potentiality for interfering and breaking some Cisco DNA Center configured element.

In the SD-Access CVD, you can see me heavily promoting the use of service blocks (consider it a fusion router in your scenario).

Why?
"it isolates or separates specific functions into dedicated equipment allowing for cleaner operational processes and configuration management. It also provides a centralized location for applying network security services and policies such as NAC, IPS, or firewall. "

Please route leak externally, not on the fabric devices.

View solution in original post

georgehewittuk1 · ‎01-15-2021

Not possible to push this from DNAC via SDA config but there could be a way in configuring yourself directly on the switch but not with BGP (fairly sure not possible between VRFs but would be interested to know.)

Have you considered micro-segmentation in the same VN based on the requirements you are trying to meet.

Jonathan Cuthbert · ‎01-15-2021

In this particular topology use of the Fusion router would lead to inefficient paths being taken and a single point of failure as we have two cores that would be acting as Border nodes but only one Fusion Router

Leaking routes on the border node is not going to fix the underlying issue here which is your topology.

It might move the route leaking responsibility to a pair of devices, but when you egress out of the fabric towards your shared services, you still have a single point of failure. It may seem like you are gaining added resilience, but you are not.

@trickyg wrote:

Hi

I am in the process of introducing SDA into our network and would prefer to route-leak between the VNs on the border router itself rather than handoff to the Fusion Router.

It is (allegedly, reportedly, though I have never tested it) technically feasible to leak routes on the border node itself. I tell you this because we are all engineers, and we figure out creative ways to do things based on the knowledge and experience and of course, information sharing. However, technically feasible ≠ supported. We support leaking routes on the an external entity. We do NOT support leaking routes on the border node itself. There are lots and lots and lots of reasons you don't want to do this beside the high degree of potentiality for interfering and breaking some Cisco DNA Center configured element.

In the SD-Access CVD, you can see me heavily promoting the use of service blocks (consider it a fusion router in your scenario).

Why?
"it isolates or separates specific functions into dedicated equipment allowing for cleaner operational processes and configuration management. It also provides a centralized location for applying network security services and policies such as NAC, IPS, or firewall. "

Please route leak externally, not on the fabric devices.

trickyg · ‎01-18-2021

Thanks for the response:

From a routing perspective there is not a single point of failure as there are resilient paths to the server farm via other links connected to the border nodes (via what willl be a second fabric site) The single point of failure is due to the fact that the Route leaking between the fabric and shared services will be being performed via a single stack (the distribution stack). If route leaking between fabric and shared services on Border node is not supported then I would have to implement the Fusion Router as a VSS stack in order that maintenance of switch etc does not bring down whole fabric site connectivity