02-25-2021 01:08 AM - edited 02-25-2021 02:10 AM
I would like to discuss the scenario where endpoints are connected to a standard switch which is itself connected to the fabric edge of a sda campus network (as shown on the attached picture).
The clients on the non sda switch have to connect to a server located in the datacenter through the sda campus.
First question : Is this a scenario that can work ? if yes how ?
Second question : If this doesn't work what can be the alternative ?
Third question: If a router is connected between the non sda switch and the fabric edge does this work ?
Solved! Go to Solution.
02-25-2021 02:37 PM
Hi team
Yes, we allow non-SD-Access switch to connect to SD-Access Edge Node. If you set Edge Node port type to "Server" it becomes an 802.1Q trunk. Then on downstream switch you match the SD-Access VLAN IDs as required. FYI "Server" port has been renamed to "Trunk" port in next major release of SD-Access for the exact reason you asked this question - we want to make it clear that it's supported to connect external switches.
If Edge Node port is access port (Not Server/Trunk port), then you can have non-SDA switch connected also, BUT, Edge Node access port has BPDU Guard enabled and you cannot turn it off today (roadmap, hopefully later this year), so, you would need to block BPDUs on the non-SDA switch if Edge Node port is access port.
Yes, you can put a router between an SDA Edge Node and an non-SDA switch. The router will need to present a single IP address into the SDA fabric i.e. you cannot program static routes on the Edge Node pointing to the router - so in other words, the router would NAT the external network so that it appears to SDA fabric as the same as any other endpoint e.g. printer, PC, etc.
(We CAN route between a router and SDA Edge + Border Node, but that is a much larger conversation, I assume it is not what you're looking for here).
N.B. I have a presentation on all the new SDA compatibility scenarios at Cisco Live next month (March 2021). Hope those interested get a chance to review it.
Cheers! Jerome
02-25-2021 10:58 PM
Yes, connect it to an Edge Node access port. I will update the field on this at Cisco Live next month. In meantime you can see some detail in my previous presentation on this topic - go to www.ciscolive.com and search for presentation BRKENS-3822. See the slide entitled "FE Access Port with Unintelligent Switch". Link -> https://www.ciscolive.com/global/on-demand-library.html?search=brkens-3822#/session/1570575336196001v4R5
Best regards, Jerome
02-25-2021 02:19 AM - edited 02-25-2021 02:33 AM
As per the diagram it works in terms of technically. you can extend SGT to non fabric so they work as expected.
There is good document how you can extend non fabric devices :
https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/EE/DG/ee-dg/ee-dg.html
02-25-2021 04:31 AM
The document doesn't say that. It says that we need to use cisco fabric extended node.
However here we use unmanaged 3rd party switch or non sda capable switch.
02-25-2021 06:50 AM
Look at Figure 7 - is that what you looking to deploy ?
02-25-2021 02:37 PM
Hi team
Yes, we allow non-SD-Access switch to connect to SD-Access Edge Node. If you set Edge Node port type to "Server" it becomes an 802.1Q trunk. Then on downstream switch you match the SD-Access VLAN IDs as required. FYI "Server" port has been renamed to "Trunk" port in next major release of SD-Access for the exact reason you asked this question - we want to make it clear that it's supported to connect external switches.
If Edge Node port is access port (Not Server/Trunk port), then you can have non-SDA switch connected also, BUT, Edge Node access port has BPDU Guard enabled and you cannot turn it off today (roadmap, hopefully later this year), so, you would need to block BPDUs on the non-SDA switch if Edge Node port is access port.
Yes, you can put a router between an SDA Edge Node and an non-SDA switch. The router will need to present a single IP address into the SDA fabric i.e. you cannot program static routes on the Edge Node pointing to the router - so in other words, the router would NAT the external network so that it appears to SDA fabric as the same as any other endpoint e.g. printer, PC, etc.
(We CAN route between a router and SDA Edge + Border Node, but that is a much larger conversation, I assume it is not what you're looking for here).
N.B. I have a presentation on all the new SDA compatibility scenarios at Cisco Live next month (March 2021). Hope those interested get a chance to review it.
Cheers! Jerome
02-25-2021 10:10 PM - edited 02-25-2021 10:34 PM
If the switch is an unmanaged switch (no configuration) vlan tagging will not happen. Is there a solution for that?
02-25-2021 10:58 PM
Yes, connect it to an Edge Node access port. I will update the field on this at Cisco Live next month. In meantime you can see some detail in my previous presentation on this topic - go to www.ciscolive.com and search for presentation BRKENS-3822. See the slide entitled "FE Access Port with Unintelligent Switch". Link -> https://www.ciscolive.com/global/on-demand-library.html?search=brkens-3822#/session/1570575336196001v4R5
Best regards, Jerome
11-06-2022 02:40 AM
Hey all!
This is really great information! In many cases there is a need to use a non-sda capable switch connected to FE, for "quick and dirty" solutions, that is until a new sda-switch can be provided (this can take up to many months in the current post-covid situation).
I have a question which came up after watching the BRKENS-3822 presentation. If an "unintelligent switch" is connected to FE there is a limitation of 10 end devices that can be hosted. Does this same limitation apply when an intelligent switch is used?
From all the previous conversation it is my understanding that if a non-sda switch is connected to FE it can still do trustsec, if it manually configured properly. Is this correct? I haven't gotten round to reading "https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/EE/DG/ee-dg/ee-dg.html", so maybe this is described in this doc.
Kind regards,
Katerina
03-08-2024 08:32 AM
Hello everyone
In the SD-Access Design with Layer 3 Routed Access I noticed that the access switches are interconnected to the distribution switches but not directly to each other.
So I'd like to know, since the routing decision is made directly at the access switches, why not interconnect them directly to each other in addition to interconnecting them to the distribution switches?
03-08-2024 08:46 AM
this same Q from u has been answered in different tread. please dont mix topics.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide