Multiple Fabric Sites Design - IP Address Pools & SD-Access Policy

dmorello74 · ‎11-08-2019

I have a question about designing & assigning the IP Address Pools and SD-Access Policy across multiple Fabric sites. First, is it a good design to have the “Users/Campus/Enterprise” VN be available across multiple Fabric sites so the same security policy is maintained across Fabric sites for the same set of Users? If so, for this “Users/Campus/Enterprise” VN, should different IP address pools/subnets be used across the Fabric sites?

Scott Hodgdon · ‎11-09-2019

dmorello74,

The Virtual Networks (VNs) and Scalable Group Tags (SGTs) in a Cisco SD-Access fabric are available across all sites of a fabric. This allows for policy and security mobility for users / devices that might move between sites, and this has been the number one use case for the customers that I have worked with that have implemented Cisco SD-Access. At this point in time, IP subnets are unique to each site (a site being defined as containing Fabric Borders, Fabric Control Planes and Fabric Edge Nodes and perhaps Fabric-Enabled Wireless LAN controllers if running SD-Access Wireless). We are looking at the ability to have the same subnet across multiple sites for certain use cases.

I recommend you have a look at a few of the Cisco Live sessions that cover Cisco SD-Access to get a deeper understanding of the design. Three good ones to start are BRKCRS-2810, BRKCRS-2811 and BRKCRS-2815. These can be found in the On-Demand Library on ciscolive.com, and you need not have attended a Cisco Live event to access them.

Cheers,

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group