Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2285
Views
6
Helpful
9
Replies

SD-Access, VN with multiple IP pools

GuyJCRaymakers40943
Level 1
Level 1

‎01-26-2022 07:38 AM

Hi colleagues,

 

I was wondering whether anyone has come across the following situation, related to migration of a standard LAN to SDA.

 

In the traditional LAN (typical 2-tier with L3 on the core and L2 downstream on the access) there could be multiple VLANS serving the same client types on different access-switches (worst case - a VLAN per access switch). Looking at the transition to SDA, and where we can't change existing used IPs, what are the options?   Any thoughts pls?    

 

Thanks,

Guy

Labels:
0 Helpful
9 Replies 9

Scott Hodgdon
Cisco Employee
Cisco Employee

‎01-26-2022 08:27 AM

@GuyJCRaymakers40943 ,

This is a very typical request for migration where IP subnets must be both in and out of the fabric at the same time. I recommend having a look at the SD-Access Migration sessions in the Cisco Live On-Demand Library, specifically:

  • Real World Route/Switch to Cisco SD-Access Migration Tools and Strategies - BRKCRS-3493 Event: 2020 Digital APJC
  • Updated Cisco SD-Access Migration Strategies - BRKENS-2008 Event: 2021 Digital
  • Cisco SD-Access Integrating with Your Existing Network - BRKCRS-2812 Event: 2020 Barcelona
As far as having multiple IP Pools in the same VN, that is not a problem at all. It has been supported since Day 1 of SDA.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

0 Helpful

GuyJCRaymakers40943
Level 1
Level 1
In response to Scott Hodgdon

‎01-26-2022 08:47 AM - edited ‎01-26-2022 08:49 AM

Thanks Scott,

Indeed - the multiple IP pools in a VN is OK - just having i.e. 10 IP pools for the same user community (example "employees"), not sure how to deal with that from an ISE policy point of view (authorization VLANs?). So perhaps this is more an ISE question than SD-Access...

 

I'll take a look at the listed CL sessions.

 

Cheers,

Guy

 

 

0 Helpful

Scott Hodgdon
Cisco Employee
Cisco Employee
In response to GuyJCRaymakers40943

‎01-26-2022 09:28 AM

@GuyJCRaymakers40943 ,

Yes, ISE will assign a VLAN based on the authentication result and then that VLAN is mapped to a VN (aka VRF) on the SVI. 

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

0 Helpful

GuyJCRaymakers40943
Level 1
Level 1
In response to Scott Hodgdon

‎01-26-2022 10:57 PM - edited ‎01-26-2022 10:57 PM

Hi Scot, 

 

Indeed - so in the scenario where you end up, in SDA (not traditional networking), with multiple VLANS for the same user community within the same VN - how do you craft the ISE policy so that users are shared across these multiple vlans after they authenticated?   That's really the scenario i'm looking into.

 

user "employees" and I have vlan names employee_1, employee_2, employee_3, employee_4, etc..

 

Best regards,

Guy

0 Helpful

Scott Hodgdon
Cisco Employee
Cisco Employee
In response to GuyJCRaymakers40943

‎01-27-2022 12:06 AM

@GuyJCRaymakers40943 ,

In ISE there will be policy sets that will assign a VLAN based on the authentication / authorization information or perhaps even device profiling (or both). So perhaps the VN "Employees" has VLANs for HR, Sales, Engineering, Finance, IT, etc, and the employees in those groups are assigned to those VLANs when they are authenticated by ISE.

Have a look at the Policy Sets chapter at https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_segmentation.html#ID37 . If you can get yoru hands on a a demo ISE in dcloud.cisco.com or developer.cisco.com (see the sandboxes), then that will help you look at the GUI to better understand what is being discussed in the admin guide.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

0 Helpful

GuyJCRaymakers40943
Level 1
Level 1
In response to Scott Hodgdon

‎01-27-2022 12:53 AM - edited ‎01-27-2022 12:54 AM

Thanks Scott,

 

Let me add one more layer - in my example assume all users are Engineering and they need to get "distributed" across these multiple vlans (on SDA). How would we do that in ISE?

 

Cheers,

Guy

0 Helpful

Scott Hodgdon
Cisco Employee
Cisco Employee
In response to GuyJCRaymakers40943

‎01-27-2022 03:27 AM

@GuyJCRaymakers40943 ,

I do not know the inner workings of ISE (not my area of focus), so you may want to follow up with this in the ISE community. That said, the way I believe it works is to add user/device profiles to specific groups in ISE and then those groups are associated with specific policy sets. 

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

0 Helpful

markus.forrer
Level 4
Level 4
In response to GuyJCRaymakers40943

‎02-03-2022 12:24 PM

Hi Guy

You can archive that one by putting the switches into different location groups. You also have to define different AuthZ Result with the different Vlan assigned.

Then you can make policy sets based on the location of the switches.

For example if Engineer A connected to Switch in Location A he gets Engineer-VLAN-A assigned.

Andrii Oliinyk
VIP
VIP
In response to GuyJCRaymakers40943

‎05-04-2023 02:21 PM

Hi

if it's for specific SGT assignment u always can differentiate endpoint with specific attribute as belonging to specific ID-group :0)

does it make sense for u in your case?

Top