cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5669
Views
25
Helpful
13
Replies

SD-Access Dual Default Border

markus.forrer
Level 4
Level 4

In a Deployment with a Dual Default Border Setup. What kind of connectivity must be configured between the two border?

Is it necessary to have a ISIS relationship between them? Or can I remove this configuration (from LAN Automation) after applying the iBGP neighborship ?

 

Couldn't find anything in the cisco docs oder ppt from ciscolive.

1 Accepted Solution

Accepted Solutions

ChuckMcF
Level 1
Level 1

We have dual FRs and dual EBNs. FR1 connects to EBN1 and EBN2 and FR2 connects to EBN1 and EBN2 via eBGP. EBN1 and EBN2 are iBGP neighbors. The IGP for the eBGP and iBGP neighbors are the connected interfaces. Each of the connected interfaces is a trunk that allows the VLANs for the VNs (Global, Default, plus the ones we've created).

 

I strongly suggest using trunks. Each VLAN that is allowed across the trunk if configured for a specific VRF for the VNs that you've created in DNAC. So for each VN you need to create a VLAN (DNAC does most of this for you) and trunk that over your connected links.

 

Links to the INs are ISIS routed interfaces. Those are the only interfaces we have configured for ISIS in the EBNs.

 

For configuration simply tell DNAC to configure the EBNs with uplinks to your FRs. DNAC will create the trunk links (ensure there is no configuration on those links before starting) and assign the appropriate VLANs. Once complete you should have all of your configurations for the EBN to FR1 and FR2 complete in the EBN. Simply mirror that in your FRs and you're done with that part. Then you need to configure iBGP between the EBNs. Come up with a VLAN scheme that DNAC isn't going to use (we used 4001 and up) and set up the trunk, allow the VLANs, and the BGP network statements...done. From that point you just need your FRs to route to your Legacy and route leak anything you want to leak between VNs.

View solution in original post

13 Replies 13

Scott Hodgdon
Cisco Employee
Cisco Employee

Markus,

It is recommended to have either a trunk or routed interface(s) between the borders that can act as a redundant path for both the Underlay and Overlay.

LAN Automation will not configure a Border-Border link.

Cheers,
Scott Hodgdon

Hi Scott

 

In a dual border/fusion router design, if each border is connected to each fusion router, is the border-to-border trunk/routed interface still required to act as a redundant path? 

Yes it's still needed for iBGP connectivity to the other EBN.

Chuck 

ChuckMcF
Level 1
Level 1

We have dual FRs and dual EBNs. FR1 connects to EBN1 and EBN2 and FR2 connects to EBN1 and EBN2 via eBGP. EBN1 and EBN2 are iBGP neighbors. The IGP for the eBGP and iBGP neighbors are the connected interfaces. Each of the connected interfaces is a trunk that allows the VLANs for the VNs (Global, Default, plus the ones we've created).

 

I strongly suggest using trunks. Each VLAN that is allowed across the trunk if configured for a specific VRF for the VNs that you've created in DNAC. So for each VN you need to create a VLAN (DNAC does most of this for you) and trunk that over your connected links.

 

Links to the INs are ISIS routed interfaces. Those are the only interfaces we have configured for ISIS in the EBNs.

 

For configuration simply tell DNAC to configure the EBNs with uplinks to your FRs. DNAC will create the trunk links (ensure there is no configuration on those links before starting) and assign the appropriate VLANs. Once complete you should have all of your configurations for the EBN to FR1 and FR2 complete in the EBN. Simply mirror that in your FRs and you're done with that part. Then you need to configure iBGP between the EBNs. Come up with a VLAN scheme that DNAC isn't going to use (we used 4001 and up) and set up the trunk, allow the VLANs, and the BGP network statements...done. From that point you just need your FRs to route to your Legacy and route leak anything you want to leak between VNs.

Hi,

 

I was going to create a similar question and then stumbled across this post.

 

So for your two EBNs, are they connected together using a single interface that you then configured as a trunk? I am currently putting a design together for this and my plan was to use three interfaces. Two interfaces will be configured as routed ports in the underlay and advertised into IS-IS along with the loopbacks on each EBN. iBGP will then be established between the EBN loopbacks. This covers the underlay. The third interface will then be configured as a trunk for the individual overlay VNs with a similar approach of creating new VLANs/SVIs in each separate VRF that wont conflict with the ones that DNAC creates. Can anyone see any issues with this?

Under the idea that a picture is worth a thousand words, please see the attached. This is how we set up ours and reconvergence is very fast. All links shown in the drawing are single links.

A few other things to add:

- In bgp: neighbor X fall-over bgp

- bfd on all vlan interfaces over trunk links; physical for routed.

- We used the connected interface as the bgp source instead of loopback; preference...we want(ed) routing to fail if/when the link goes down.

- DNAC creates the configs in the EBNs for you. You only need to configure the opposite end of the configuration in the FRs and then configure iBGP between the two EBNs. Again we picked VLAN 4001 as the starting VLAN between the EBNs since DNAC doesn't use the 4000 range. At the moment I think we're up to around 4008 or so. Since DNAC configures the EBNs for you so you're kind of forced to do it the way that DNAC configures it.

Hi ChuckMcF,

 

I finally got round to configuring the EBNs and FRs in my deployment and noticed that DNAC doesn't configured BFD on the VLAN SVIs that it automatically configures for the IP transit VNs (3001-3004 in my case). Did you have to configure BFD manually on both the EBNs and FRs to achieve quick failover for all vlan SVIs (ones created automatically by DNAC and manually?)

 

Thanks

It's been about a year since we set up our current Dual EBN/FR but from what I can remember we had to add BFD to all VLAN interfaces and to all BGP neighbors. I'm positive we had to do it on the FRs since DNAC doesn't configure those for you. Once you think you have all interfaces and corresponding BGP neighbors configured with BFD I'd suggest going back through everything to ensure you didn't miss anything. When we did ours I drew the network on a white board showing each link and then checked off that each had all the correct configs.

 

ChuckMcF

This makes sense - Using BGP we move from a IGP capable of quickly detecting route changes to a protocol that could cause up to 2 mins of black holed traffic  should a route go down. Just not sure why DNAC does not configure BFD by default?

Hi Chuck

 

Thanks for your response. As we discovered EBN2 through LAN Automation, DNAC has implemented a ISIS routed interface between the EBN's. I will replace this with a iBGP Peering for the underlay :)

 

Thank you

Markus,

Actually I've been curious how having ISIS between the EBNs would have worked for us. Still considering making the EBN to EN link run ISIS instead of just being connected. Will dig deeper into this as time allows but I'm very curious how it works for your network if you just left that link as an ISIS and routed iBGP across it. Would appreciate your thoughts.

Chuck

After thinking it through a little more forget what I said about the ISIS between the EBNs. I forgot about the fact that you need the trunk to send each VLAN (and vrf) between the EBNs. IMHO the easier option is a trunk link passing vrf assigned VLANs and routing iBGP across the connected interface.

Chuck

I would agree with this. 

 

I have been trying to workout the best way to do this in my deployment and was getting confused after reading the Cisco SDA deployment guide. In the guide it instructs you to create a routed link between the EBNs and then establish an iBGP adjacency between them using the loopbacks that are advertised into ISIS. Standard stuff for iBGP. 

 

The guide then goes on to state that iBGP adjacencies will also need to be setup between each EBN for each VN for backup connectivity in the event of a fusion router failure. Now this cant be achieved over the previously configured routed link so either a second interface needs to be connected, and configured as a trunk, or the routed link is reconfigured as a trunk with a VLAN/SVI used for the underlay IP connectivity in addition to the VLANs/SVIs used for each VN. Looking at it, the last option is much simpler.

 

 

 

Review Cisco Networking for a $25 gift card