Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
959
Views
0
Helpful
5
Replies

Services as ISE VM or DHCP server could be inside the fabric?

acc.94
Level 1
Level 1

‎10-31-2021 11:33 AM

We are deploying an sd access infrastructure and customer wants to migrate their DC services (ISE, DHCP, AD, etc.) to one of fabric edge nodes.

Would this work or do I need to keep this switch out of the fabric?

 

In that case, can this services be on the overlay VN?

 

Thanks!

 

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎10-31-2021 03:17 PM

As per Cisco Documentation, with my Limited deployment knowledge (not widely done) , I do not think that is the right approach to connect to fabric edge node these services, these critical components part of SD-Access deployment.

 

Fabric edge nodes only can connect end devices or AP.  

 

Instead, you move that Services to the upper level.

 

some design guidelines :

 

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-31-2021 09:48 PM

Hello @acc.94 ,

your concerns are correct:

the DHCP server must be out of the fabric.

 

The explanation for this need is the following:

for a given VXVLAN   each fabric node implements the Anycast Concept for the SVI default gateway.

This means that each Fabric node when performing DHCP relay function wil populate the gi address with the SAME IP address for a specific VXVLAN/IP subnet and then it will send the packet inside a VXVLAN UDP packet towards the Border Node that advertised the subnet where the DHCP server IP address is part of.

 

Having the DHCP servers out of the fabric allows to use the Fabric Border nodes as proxies, they have a loopback interface configured with the same IP address of the Anycast SVI so they can propagate the DHCP request to the external DHCP servers.

When the DHCP server answer comes back it is first processed by the local loopback, then using LISP and VXVLAN UDP at the data plane,  and having tracked from what fabric node  has arrived the original DHCP request the Border node can send the DHCP offer to the correct fabric node sending actually to the fabric node loopback address ( in the external UDP header the destination address must be unique so it is the loopback address that is advertised in the IGP actually IS-IS)

The fabric node takes the DHCP offer and propagates it the original requester.

 

So the DHCP servers like other services for example AAA servers or ISE must be out of the fabric and reachable via Border nodes.

 

Hope to help

Giuseppe

 

0 Helpful

acc.94
Level 1
Level 1
In response to Giuseppe Larosa

‎11-01-2021 01:13 AM

Thank you for the help!

 

One last question, in that case, could the 'services switch' be connected to the border node but being out of the fabric and reachable via traditional routing from the border node?

 

Thank you again!

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to acc.94

‎11-01-2021 02:38 AM

sure that is a feasible and workable solution here.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

acc.94
Level 1
Level 1

‎11-04-2021 01:15 AM

Thank you all for your help!

 

Anyways, I have one last question, could this services be directly connected on the CP/Border node even on DEFAULT_VN or in GRT VRFs?

0 Helpful
Customers Also Viewed These Support Documents