Solved: Re: Does the SDA architecture allow different devices to have the same IP address?

Rps-Cheers · ‎07-18-2019

Hello everyone,

I have a question about DNAC that needs to be consulted. There are multiple Catalyst 9500 switches in the network. They are configured through DNAC to allow multiple switches to have the same distributed gateway address (for example, the IP addresses of loopback 1000-1050 of multiple switches are the same), and these IP addresses will be Being networked into the BGP process, is it allowed in SD-Access? What does this cause? Is there a document to explain?

Thank you

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Scott Hodgdon · ‎07-19-2019

SYGY,

Do you mean SVIs on the Fabric Edge Nodes have the same IP Address, or are you saying that loopbacks on the 9500s have the same IP Address ? What role are these 9500s playing in the SD-Access fabric ?

SVIs with the same IP Address are expected as this is what is known as an Anycast Gateway and allows for wired and wireless roaming in SD-Access fabrics. The Cisco Live session BRKCRS-2810 (can be found in the On-Demand Library at ciscolive.com) has a few slides on this. If you are seeing Loopbacks on the 9500s acting as Border Nodes in the SD-Access Fabric, then this is also expected as part of the DHCP process within the SD-Access fabric. The Cisco Live session BRKCRS-3810 (can be found in the On-Demand Library at ciscolive.com) has a few slides on this.

Cheers,

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

View solution in original post

Roddie Hasan · ‎07-19-2019

That's a good question - I haven't seen any documentation specifically on it with Software-Defined Access, but this is really just a function of how Anycast was designed to work.

The first paragraph of the Anycast wiki describes the intent:

"Anycast is a network addressing and routing methodology in which a single destination address has multiple routing paths to two or more endpoint destinations. Routers will select the desired path on the basis of number of hops, distance, lowest cost, latency measurements or based on the least congested route."

A packet will take the shortest routing path towards a given Anycast address.

To bring the example back to Fabric for a moment. If a host is connected to Fabric Edge 1 and you try to ping the host from Fabric Edge 2 using the Anycast address as a source, the reply from the host will be received by Fabric Edge 1 since it is the closest interface with that address, so Fabric Edge 2 will never see it.

View solution in original post

Scott Hodgdon · ‎07-19-2019

SYGY,

Do you mean SVIs on the Fabric Edge Nodes have the same IP Address, or are you saying that loopbacks on the 9500s have the same IP Address ? What role are these 9500s playing in the SD-Access fabric ?

SVIs with the same IP Address are expected as this is what is known as an Anycast Gateway and allows for wired and wireless roaming in SD-Access fabrics. The Cisco Live session BRKCRS-2810 (can be found in the On-Demand Library at ciscolive.com) has a few slides on this. If you are seeing Loopbacks on the 9500s acting as Border Nodes in the SD-Access Fabric, then this is also expected as part of the DHCP process within the SD-Access fabric. The Cisco Live session BRKCRS-3810 (can be found in the On-Demand Library at ciscolive.com) has a few slides on this.

Cheers,

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

Rps-Cheers · ‎07-19-2019

HI Scott,

Thanks for your response.
The two Catalyst 9500s acting as Border Nodes in the SD-Access Fabric.There are many loopback interfaces as distribute gateway for Hosts.We are testing ping destination by a source loopback interface on these two 9500s, such as "ping 8.8.8.8 source loopback1050 or ping 8.8.8.8 source loopback 1051 ...".If the same operation can be pinged on Border1, it will not be able to ping on Border2, and vice versa.

For example:
C9500-1# ping 8.8.8.8 so lo1051
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)

C9500-1# ping 8.8.8.8 so lo1052
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.11.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21/18/30 ms
-----------------------
C9500-2# ping 8.8.8.8 so lo1051
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/29 ms

C9500-2# ping 8.8.8.8 so lo1052
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.11.2.1
.....
Success rate is 0 percent (0/5)

Above is the normal symptom？

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Roddie Hasan · ‎07-19-2019

This is expected behavior - As Scott mentioned, we use Anycast to allow the same default gateway to be configured on every Fabric Edge as an SVI. The Loopbacks are then configured on the Borders to allow proper advertisement of the Fabric VN Pools outside of the fabric (via network statements under BGP.) They are not intended to be used as sources or destinations beyond a default gateway from your hosts.

When you ping using one of those Loopback addresses as a source, the reply will return to the Fabric via routing based on your routing metrics, and may end up returning to an alternate Border as you are seeing in your testing.

Hope that helps!

Roddie

Rps-Cheers · ‎07-19-2019

HI Roddie，

Thank you very much, Is there any documents for explain this? ——‘They are not intended to be used as sources or destinations beyond a default gateway from your hosts.’

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Roddie Hasan · ‎07-19-2019

That's a good question - I haven't seen any documentation specifically on it with Software-Defined Access, but this is really just a function of how Anycast was designed to work.

The first paragraph of the Anycast wiki describes the intent:

"Anycast is a network addressing and routing methodology in which a single destination address has multiple routing paths to two or more endpoint destinations. Routers will select the desired path on the basis of number of hops, distance, lowest cost, latency measurements or based on the least congested route."

A packet will take the shortest routing path towards a given Anycast address.

To bring the example back to Fabric for a moment. If a host is connected to Fabric Edge 1 and you try to ping the host from Fabric Edge 2 using the Anycast address as a source, the reply from the host will be received by Fabric Edge 1 since it is the closest interface with that address, so Fabric Edge 2 will never see it.

Rps-Cheers · ‎07-19-2019

Hi Roddie,

Thank you for your help, I got it. I hope that Cisco will announce this issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !