06-21-2021 03:13 PM - edited 06-21-2021 03:13 PM
Hello,
I'm still a newbie when it comes to sd access, I'm looking for answers to my questions
-Im a bit confused about ip transit, which protocols could be used between borders of different sites and the wan, i see in different documents bgp as a control plane protocol and vrf lite for the dataplane, what it clients wan is a different technology?
- when deploying sxp tunnels from ise to propagate sgts and policy enforcement across all sites, do we still need to configure something manually in the borders to accomplish the same? Or we only configure borders (bgp/vrf lite) for reachability?
- can i have ise cluster deployed in 2 different DCs.. where each have mnt pan and psn, and 5 other PSNs deployed in the most important sites ( to support 50000 devices)
- what are the requirements to deploy DNA-c cluster across 2 different DCs? (Latency/ bandwidth etc..)
I have tons of questions, a lot of them are maybe stupid but since there's little to no details covering this in the CVD I'm lost
Thank you guys
06-21-2021 09:50 PM
Any help please
06-22-2021 05:08 AM
Some answer as i know :
-Im a bit confused about ip transit, which protocols could be used between borders of different sites and the wan, i see in different documents bgp as a control plane protocol and vrf lite for the dataplane, what it clients wan is a different technology?
WAN will be different using SD-WAN or IP-Transit design
- when deploying sxp tunnels from ise to propagate sgts and policy enforcement across all sites, do we still need to configure something manually in the borders to accomplish the same? Or we only configure borders (bgp/vrf lite) for reachability?
yes if this not SD-ACCESS to reach other tranditional or ip-transit.
- can i have ise cluster deployed in 2 different DCs.. where each have mnt pan and psn, and 5 other PSNs deployed in the most important sites ( to support 50000 devices)
DNAC can be deployed different Cluster in DC (bit question they manange Local SD-Access ?) or you looking to manage centrally.
ISE can be deployed any where, you can dd DNAC to ISE MNT to manage.
- what are the requirements to deploy DNA-c cluster across 2 different DCs? (Latency/ bandwidth etc..)
For not not supported, (some people say yes some no, official answer NO it will
06-23-2021 01:12 AM
Hi Balaji,
1) The transit is IP based, I would like to have full understanding of the configuration and consideration needed in the transit, starting from my side (Borders and fusion) to the ISP side (I don't know if we should ask him to put any kind of config to support something specific or the WAN should stay agnostic about what we are doing in our side, it has only to provide reachability)
2) Yes, I really want to have a deep understanding about Why and how we deploy SXP tunnels in the SD-access with IP transit, what is the workflow, what is done for reachability in the borders and what is done for SXP to transport SGTs... these are just the basics, I'm really looking for a deep understanding of every aspect in the architecture
3) I'm sorry, I didn't get "you can dd DNAC to ISE MNT to manage" : you mean monitoring DNA-C health in ISE? We are looking for deploying ISE centrally (in 2 DCs) for cost proposes, we can't afford PSNs in every site
4) So we are forced to implement a full cluster in a single site ? that's dangerous if the site somehow is not reachable or completely destroyed (well it's unlikely to happen but possible and should be taken in consideration), I'm aware that DNAC manages only config pushes to sites and check the health of different components / automation tasks as new deployments etc and doesn't effect control and dataplane, but sill.
06-22-2021 07:40 AM
TrickTrick,
In addition to what Balaji mentioned, I offer these details:
IP Transit uses E-BGP as a handoff protocol if you choose to use our L3 Handoff automation on the SD-Access Border, and this is our Best Practice recommendation. That said, you can use whatever protocol you want for the handoff , but you would have to do other protocols manually. If the client WAN is different, then you would have to ensure that redistribution between the protocols is handled appropriately. I would recommend viewing BRKCRS-2811 : Cisco SD-Access - Connecting the Fabric to External Networks in the On-Demand Library at ciscolive.com
An ISE cluster can be deployed across DCs, and if you want the SD-Access sites to point to a load balancer VIP in front of the PSNs then that is supported. I like the VIP option as it gives you some flexibility on the backend if you have to make changes to the PSNs (IP address, adding / removing PSNs, etc). Those changes become transparent to SD-Access sites if they are pointing to a VIP that does not change even if the PSNs change.
Splitting a DNA Center cluster across 2 DCs is not supported at this time regardless of how low the latency is between the DCs. The concern here is about potential split-brain scenarios if the connection between the DCs is severed.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
06-23-2021 02:00 AM
Hi scott,
When you say E-BGP in transit, you mean in the external side of our borders only or even the ISP WAN routers? As far as I know, ISP side is agnostic about what we are doing regarding SD-Access, he can only provide connectivity using their usual protocols, do you think it's something that should be discussed with the WAN provider ? I will check the cisco live session thank you
Regarding ISE, I like the Idea of VIP and a load balancer but we can't afford it, we are thinking of having a cluster deployed over 2 DCs and that's it, I think I need to check latency requirements and bandwidth etc.
So we can't have geolocation redundancy, in case the whole DC is down somehow? As I said to Balaji, maybe the fact that DNAC doesn't affect Data plane and control plane process in case of Datacenter failure, where can I find such information I didn't see it mentioned in the cisco's failover 3 node cluster scenarios
In the end, I would really like to understand more and more about SD-access but unfortunately I find it hard since we don't have a global guide pointing towards every piece and technical challenges and scenarios, not just the concepts but deep and detailed explanation, if you have any recommended library, video series or anything that could help (besides of CVD because it's really explaining general guidelines)
Thank you
06-23-2021 04:32 AM
I can only address some of the resources you looking, most SD-Access related resources are here : ( very helpfull) - since its new, you can get all in one place very handy, but eventually we get there once people are start using and use case become for our howto guides.
https://community.cisco.com/t5/networking-documents/cisco-sd-access-resources/ta-p/4196271#Design
Cisco Live presensentation are very very helpful to understand better of SD-Access.
06-23-2021 06:29 AM
Thank you Balaji, I hope that everything is explained there in details
06-23-2021 05:14 AM
TrickTrick,
E-BGP for IP Transit is only between the Border and the next hop device. As you state, the ISP side protocol is agnostic to SD-Access.
Documentation of the single-site deployment requirement can be be found here : https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-2-2/ha_guide/b_cisco_dna_center_ha_guide_2_2_2.html#concept_zfd_5px_zfb :
Multinode cluster deployments require all of the member nodes to be in the same network and at the same site. The Cisco DNA Center appliance does not support the distribution of nodes across multiple networks or sites.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
06-23-2021 06:21 AM
Regarding the cluster, there's then only one design validated by cisco which forces the installation of the 3 nodes in a single location.. otherwise maybe we can use a second cluster of 3 nodes in a 2nd DC (which is unlikely to be opted for for financial reasons)
Sorry for insisting, but when you say next hop device, it's still the Provider router, so he needs to adjust his config for us to support BGP (in case he doesn't use it already), if it's the case, is there any resources explaining what we can do in both sides (our side in the border and provider's side (next hop)) ?
I'm really curious how people already started deploying sd-access (even in labs) while there's almost no details explained step by step for example from Cisco... I'm missing something or there's other resources than Cisco's ones.. I'm lost ...not gonna lie
Thank you again
06-23-2021 08:19 AM
TrickTrick,
Sorry for any confusion. I will try to be more clear.
We support any routing protocol for handoff from the SDA Border. Our Best Practice is E-BGP, and this is orchestrated by DNA Center. If you use a protocol other than E-BGP, then you will have to configure it yourself and make sure that there are no loops between the Borders and next-hop devices. One reason we have E-BGP as a Best Practice is because it has built-in loop prevention mechanisms. Any configuration done on the next-hop device has to be done outside DNA Center, as DNA Center will only configure the Border side of the handoff. This is also explained in more detail in the Cisco Live session I sent.
We do have deployment guides available that can walk you through step-by-step for different work flows related to SD-Access, and these are found at the link provided by Balaji.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
07-07-2021 01:08 AM - edited 07-07-2021 01:08 AM
-Im a bit confused about ip transit, which protocols could be used between borders of different sites and the wan, i see in different documents bgp as a control plane protocol and vrf lite for the dataplane, what it clients wan is a different technology?
IP Transit means the use of a "Fusion Router" to leak routes, DNAC only automates BGP peering and advertisement on borders, so it is expected for the Fusion router to use BGP. If your wan provider uses something else, you can always deploy BGP facing the borders and redistribute routes to the protocol used by your provider.
- when deploying sxp tunnels from ise to propagate sgts and policy enforcement across all sites, do we still need to configure something manually in the borders to accomplish the same? Or we only configure borders (bgp/vrf lite) for reachability
If you want Borders to enforce SGTs (as Fusions can do it too with SXP inline tagging), yes, manual configuration is needed. An SXP listener session per VRF will be needed to download the IP-to-SGT mappings from Fusions, this is not automated by DNAC.
- what are the requirements to deploy DNA-c cluster across 2 different DCs? (Latency/ bandwidth etc..)
It doesn't bring a lot on the table to deploy DNAC across DCs, as the high availability depends on 3 nodes, so you would need to split DNAC in a 2-1 fashion, DNAC can't be in HA with only 1 node, in case you lose the DC where the 2 nodes reside, DNAC will be inoperable until 2 nodes are recovered, because of this quorum, separating DNAC clusters across DCs doesn't really do anything relevant.
What you might be looking after is Disaster Recovery instead of splitting DNAC across DCs.
Apologies for the ISE question, it is out of my scope!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide