Solved: Re: Create SGT-DSI and same subnet how to share in three site fabric sd-access and recommandation ab...

khalilsoltani47714 · ‎05-24-2021

I am in phase to realize the design of sd-acces tehnology within our headquarters A and the two distinct sites (B, C), we must create three fabrics.
Fabric SD-Access in the site siege A: the device used (Two borders nodes Catalyst 9500 and two Fusion routers Nexus 7K)
Fabric SD-Access in Site B: the device used (Two borders nodes Catalyst 3850 and Fusion router ISR 4 K)
Fabric SD-Access in Site C: the device used (Two borders nodes Catalyst 3850 and Fusion router ISR 4 K)
Nature of the borders in the three site : Control plans and border mode (anywhere or External)
Please find attached my target architecture first for the HQ site second for the site branch third for three site used MPLS.

Question 1: was about the recommendation for the nature of borders.
Anywhere (internal + External) borders connect to the internet and also known part of the company lik DC, WAN etc.
External border connect to the unknown part of company like internet or is the only exit point from fabric

Is Anywhere more stable or external? is not there bug speak about this Anywhere Border ???

Question 2: Creation of the SGT_DSI with the subnet for example (10.70.10.0/24) in the HeadQuarters site A how to share with the two branch sites (B, C)
if I have three farbric SD-Access so I have to create three SGT_DSI (SGT_DSI_A, SGT_DSI_B, SGT_DSI_C) with different subnets in the three fabrics

for example Fabric site A (SGT_DSI_A= subnet (10.70.10.0/24), Fabric site B (SGT_DSI_B= subnet (172.23.10.0/24), Fabric site C (SGT_DSI_C= subnet (172.24.10.0/24),
notes that communication between the three MPLS-based sites
how to keep same SGT_DSI_A with subnet (10.70.10.0/24) in the fabric headquarters and fabric site B and fabric site C or you should create three SGT_DSI with different subnet for three fabric ????

jedolphi · ‎05-26-2021

Hi Khalil, yes, Multisite Remote Border can stretch a single SD-Access IP subnet across multiple fabric sites when IP Transit is between the sites. We have a 3-part video series that explains. Please review the videos for more detail. Here is the first video in the series: https://youtu.be/w5HQ_CrcxuU . You'll be able to find the 2nd and 3rd video in same location. Jerome

View solution in original post

jedolphi · ‎05-24-2021

Hi Khalil, for Q1, please review the two YouTube videos on border types and use cases,

https://youtu.be/bEMfSLYZt5s

https://youtu.be/9Yoy_P_PUCE

After reviewing those videos please share your thoughts - given the situation you have described it sounds like probably the external (default) borders would be most appropriate.

For Q2 you could review the segmentation strategy guide. There are a number of mechanisms you case use to transport SGT between sites including SXP, static subnet to SGT mapping commands on the borders, and various methods of inline SGT such as DMVPN, SDA Transit, SGT in Ethernet CMD or SDWAN as a Transit,

https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424

Cheers, Jerome

khalilsoltani47714 · ‎05-25-2021

@jedolphi Think you very much foor your answer,
As I indicated in my architectural design. I am creating three SD-Access Fabric
Sd-Acces Fabric in the main site A.
Sd-Acces Fabric in site B.
Sd-Acces Fabric in site C.
Communication between three sites based on MPLS. Nature of transit in the three fabric: Transit IP
Server DNA Center and Platform ISE installed in Main site A
My Question: how to keep SGT_IT with Subnet for example 10.70.10.0/24 of main site A in both sites B, C.
or each fabric SD-Access just keeps its own SGT and its subnet in this case I must create as located of this example
SGT_IT_A subnet 10.70.10.0/24 for fabric SD-Access of main site A
SGT_IT_B subnet 172.23.10.0/24 for fabric SD-Access of site B
SGT_IT_C subnet 172.24.10.0/24 for fabric SD-Access of site C

How to keep same SGT and same subnet in three fabric
What is the best solution for this scenario ???

jedolphi · ‎05-25-2021

Hi Khalil, they are actually two different questions.

Q1. Can you have same user subnet at different fabric sites? Answer is yes, using multi-site remote border, HOWEVER, you should only stretch same subnet across multiple sites if there is a firm technical requirement. To keep the design simple to operate and troubleshoot, we should prefer to have unique subnet at each fabric site.

Q2. Can you use same SGT at each site? Answer is yes. ISE can assign any SGT to any endpoint in any subnet, or as a fallback, the static subnet to SGT mapping can be applied to each site e.g.

site 1 - vn1 - subnet 1 - sgt1

site 2 - vn1 - subnet 2 - sgt1

site 3 - vn1 - subnet 3 - sgt1

Jerome

khalilsoltani47714 · ‎05-26-2021

@jedolphi thinx for your feedback

About Q1: you said yes when using multi-site remote border for same user subnet at different farbric sites is possible
but Mulit-site remote border you can used when transit in different site is transit IP ???

Multi-site remote border which fabric used is in fabric transit IP or Fabric transit sd-access or fabric tranist sd-wan ???

jedolphi · ‎05-26-2021

Hi Khalil, yes, Multisite Remote Border can stretch a single SD-Access IP subnet across multiple fabric sites when IP Transit is between the sites. We have a 3-part video series that explains. Please review the videos for more detail. Here is the first video in the series: https://youtu.be/w5HQ_CrcxuU . You'll be able to find the 2nd and 3rd video in same location. Jerome

Create SGT-DSI and same subnet how to share in three site fabric sd-access and recommandation about nature of border