cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1010
Views
5
Helpful
7
Replies
Tobias Heisele
Beginner

Fabric Scaling - multiple IP Pools within a VN

Hi,

 

when I want to add an additional ip pool to an VN of a fabric site, because the number of clients increaded, how is 802.1x dealing with this? Do I need create a resultset within ISE for each ip pool and do some kind of loadbalacing (something like "based on the NAS ip")?

In legacy 802.1x implementations, ISE returns a "vlan name" that matches a switch local significant vlan or vlan-list, but ip pool names are unique. How is this done in SDA?

1 ACCEPTED SOLUTION

Accepted Solutions

A single large pool is the best answer. /16 is OK in SDA if you do not have L2 flooding enabled. (L2 flooding is disabled by default). As a general rule, do not move small pools into SDA e.g. if legacy network has a /24, do not move the /24 into SDA if you have a choice. Instead create a /16 in SDA (new pool) and move endpoints from legacy /24 into the new /16 pool. Please check latest BRKCRS-2812 on ciscolive.com. Yes, technically we can do VLAN group in SDA, but that is last resort and not recommended.

View solution in original post

7 REPLIES 7
jedolphi
Cisco Employee

The easiest answer is to use large IP pools e.g. /16s. Is that possible?

Jerome

Hi Jerome,

 

I'm not talking about initial setup, I'm looking for a way to scale afterwards (site gets a new building, acquisitions, etc). So instead of adding a second pool it's better to enlarge or replace the existing one?

 

I know SDA has control mechanisms for L2 flooding, but using so large subnets feels "wrong" ;-)

A single large pool is the best answer. /16 is OK in SDA if you do not have L2 flooding enabled. (L2 flooding is disabled by default). As a general rule, do not move small pools into SDA e.g. if legacy network has a /24, do not move the /24 into SDA if you have a choice. Instead create a /16 in SDA (new pool) and move endpoints from legacy /24 into the new /16 pool. Please check latest BRKCRS-2812 on ciscolive.com. Yes, technically we can do VLAN group in SDA, but that is last resort and not recommended.

View solution in original post

Hi, jedolphi.

 

Your colleague seems to disagree as viewed in another forum post: https://community.cisco.com/t5/software-defined-access-sd/sda-subnet-sizing/m-p/3858725

Doesn't it make more sense to move like devices into their own subnets for external systems to make sense of where the traffic is coming from for NAT or troubleshooting external stuff on like an external firewall.

You could of course use more VN's to segment groups but then you'd have to hairpin traffic between them at the border/fusion and I believe you would lose your SGT policy.

From what I've gathered sofar from watching the BRKCRS28* vids the following seems logical:
- Have a low number of VN's (Internal/Guest/INFRA_VN)
- Put all corp devices (PC's, printers, maybe IoT devices if traffic needs to be available to corp devices) into the Internal VN but each on it's own subnet to keep clarity in the network.
Am I following correctly?  Coz I'm quite new in studying the SDA solution but we're having an upcoming deployment early next year.

Hello Joey,

The question asked was specifically about dealing with a single overloaded IP pool. In that scenario, it is better to have a large pool that is not overloaded. I did not say that a single large pool is always the best answer, it depends on the requirements :) You are also welcome to have several pools in same VN. Please also note there is maximum IP pools supported per fabric site.

Jerome

 

Ok, thanks for clearing that up.

So if you used to have like 4 VLANs that were routed at the distri layer with some ACL's in between that is the perfect case to put in their own IP pool in the same VN in a SDA Fabric.

Or you could consolidate all 4x legacy VLANs into one single SDA IP pool and use SGT for segmentation within the IP pool

Content for Community-Ad