Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1564
Views
0
Helpful
1
Replies

SDA Border Static Route to a Firewall

Go to solution
Sefik
Level 1
Level 1

‎12-30-2019 08:53 AM

Hello everyone,

 

We have an upcoming project but customer network is different than what I saw in design guides. Customer has Core-Dist-Acc network with 9500 as a core, 9500s as dist and 9200s as edge. Devices already implemented using traditional manner. I will convert network from traditional to fabric. So I will prepare configurations which is needed for SDA Fabric and manually put these configurations into devices. I want to add devices in DNAC and then push necessary configuration using configuration templates but this looks more complex than manual configuration because of interface names for different devices. I feel like I can make a lot of mistakes when I am creating Layer 3 links and at some point I would still need manual intervention to correct the configuration. For example If I push wrong interface configuration to edge switches, I will lost connection to them. Because all links will become layer3. Is there a rollback mechanism in DNA for situations like this? For example in SD-WAN there is rollback option if the configured device becomes unreachable after configuration pushed from VManage. I would like to hear your opinions also on this subject.

 

I plan to use OSPF as underlaying protocol because it is a well known protocol for a lot of people and It can make the troubleshooting more easier later. My question is customer does not have fusion router. Border(Also Control Node which is a stack) is connected directly to a Palo Alto FW and this FW does not support BGP nor VRF. My plan is to push BGP configuration to borders with trunk and SVIs configuration(I think this is mandatory. Or can I configure fabric without Transit network?) but not to establish any BGP sessions. I will only use pushed trunk and SVI configuration on Border. Then on the border switch I will create static default routes for each vrfs pointing to Palo Alto's sub interfaces. I will also add necessary routes in FW for return traffic to Fabric.

 

BGP is only needed on Fusion for route leaking between vrfs. So I should accomplish this also using static routes. Is it correct? Did you have a chance to implement an SDA like this before?

 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎01-01-2020 01:37 PM

Hello Sefik,

There is no rollback timer on edge switches, if you accidentally enter wrong configuration then switch will be inaccessible until someone goes to console and corrects the problem. Instead of manually converting switch uplinks to L3 you could consider LAN automation, which involves factory resetting each edge switch and having DNAC auto-configure ISIS routed uplinks, some customer have used this to convert legacy switches to SDA, https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/tech_notes/b_dnac_sda_lan_automation_deployment.html . Please test this procedure on one or two edge switches so you get clear on how it works. This procedure supports only ISIS.

On your border switches it is perfectly fine to add static routes per VRF towards external firewall and also have static routes on external firewall pointing back to SDA border. In this scenario the route leaking would be happening on the external firewall.

Best regards, Jerome

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎01-01-2020 01:37 PM

Hello Sefik,

There is no rollback timer on edge switches, if you accidentally enter wrong configuration then switch will be inaccessible until someone goes to console and corrects the problem. Instead of manually converting switch uplinks to L3 you could consider LAN automation, which involves factory resetting each edge switch and having DNAC auto-configure ISIS routed uplinks, some customer have used this to convert legacy switches to SDA, https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/tech_notes/b_dnac_sda_lan_automation_deployment.html . Please test this procedure on one or two edge switches so you get clear on how it works. This procedure supports only ISIS.

On your border switches it is perfectly fine to add static routes per VRF towards external firewall and also have static routes on external firewall pointing back to SDA border. In this scenario the route leaking would be happening on the external firewall.

Best regards, Jerome

0 Helpful
Customers Also Viewed These Support Documents