Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
262
Views
0
Helpful
3
Replies

Multisite Remote Border

p11l
Level 1
Level 1

‎05-29-2024 06:41 AM

Hello Together,

I've a question about the function "multisite remote border".

We've two ideas to solve our explicit logical problem:

1st:

Create evere VN in every site with a separated, reserved, subnet pool. Every VN in every Site has its own IP Subnet.

Our Problem with that solution is that the peering point of the VN is at a firewall so that our firewall team must create every subnet on the firewall and manage separate access list on every interface. A lot of work.

 

2nd:

Create a VN, reserve a larger IP Pool (like in figure 1) and anchor it at the in/egress point and inherit it to every site who needs the VN.

The Point is with that solution that our firewall team needs only to configure one interface with one ACL.

 

I've read the documentation obout "multisite remote border". It is mostly used for pointing a VN like "guest" to exit it at a pricision point like a DMZ. Only a few times i read about "...subnetting is easyer to plan...".

 

So my questions are:

- Can we use it in most cases?

- Are they any points to observe like scaling limits or any other things?

 

Thanks for your help again!

Labels:
0 Helpful
3 Replies 3

andy!doesnt!like!uucp
Spotlight
Spotlight

‎05-30-2024 09:28 AM - edited ‎06-16-2024 06:51 AM

1. u need to create 1 anchored VN. u dont need multiple L3-handoffs from anchor BN(s) to external rtr/fw. it still may be single transfer subnet within anchor VN(VRF) which even shouldnt necessary be within IP-pool u create for that VN. your FW-admins will still maintain rules for the single global subnet. I was trying to model your idea of reserving different sub-pools from single one global pool in lab but hit different issue preventing me from further testing. after i resolve it & finish modeling will let u know.
2. supported approach. still L3-handoff can take subnet from fully different range. l.s. u have 192.168.0.0/16 pool for user access and 172.12.0.0/31 for transfer to FW.
On the rest of your Qs the answers are yes & u have to pay attention to /32 all ENs RLOCs IPs to be present on your anchor BN|CPs & vice versa. & "VXLAN cannot be fragmented" rule of thumb which for UDP will be difficult to meet across non-SDA transits

0 Helpful

jedolphi
Cisco Employee
Cisco Employee

‎06-16-2024 09:28 PM - edited ‎06-16-2024 09:29 PM

All the things Andy said, and also the scale of the BN and CP at the anchoring site needs to accommodate all endpoints at all tethered Fabric Sites e.g. 10 Fabric Sites each with 100 endpoints in an Anchored VN = MSRB BN and CP scale of 1000 endpoints.

Regarding handoff subnet management, one option could be to create a hub and spoke SDA Transit network like so:

jedolphi_0-1718598447347.png

 

0 Helpful

p11l
Level 1
Level 1

‎06-25-2024 12:34 AM

Thanks for your draw!

I need full is-is routing between all edge nodes of any site and any cp/bn of any site.

That sounds it scales not very good for a environment like 1.000 hosts.

0 Helpful
Customers Also Viewed These Support Documents