Solved: Re: Fusion Router between two VNs

Nik. · ‎04-08-2020

In a scenario with two VNs. VN1 with IoT devices and VN2 with Clients. Both VNs contain multiple SGTs.

I'm quite unsure about the "Best Practice" usecase regarding Fusion Routers and VNs in a Fabric.

To my understanding each time I want to connect/route traffic between two VNs I have to leave the Fabric. So I have to use a Fusion Router to complete this task.

I read that I can use a firewall or a dedicated device as a Fusion Router (or even my core switch?).

But I don't know which way I should go to connect both VNs containing IoT devices on one VN and clients on the other or is it "overkill" to use two different VNs just to seperate IoT devices and clients?

Mike.Cifelli · ‎04-08-2020

As @ammahend mentioned micro-segmentation is still possible with a single VN and multiple SGTs.
-Yes.
So to my understanding connecting a second VN is more complex and requires more manual configuration (Fusion Router) but does not increase security or functionality?
-VNs completely segregate IP pools belonging to them by creating a separate virtual routing instance on your device. The same as a VRF would do. So one VN would not know about the other VN. Essentially if a host in VN1 tried to reach a host in VN2 the NADs would default route the traffic to your Fusions since you would be advertising the default route into bgp (between FRs<-->EBNs) so that each respective VN would have a default route. Then you would leak if you wish accordingly. Separate VNs do add another layer of increased security.

If I have to add hundreds of IoT devices in the future for example it would be still possible to add another VN and move all the IoT devices?
-I would not recommend going down this path. You can accomplish this, but there are several things that would need to change. Remember that within DNAC you have to assign SGTs and IP pools to VNs. This would mean that your vlan mapping auth string in your ISE authz profiles would need to be modified so that you can properly onboard hosts. Edge nodes would require re-provisioning to update vlan names, SVIs, and more than likely a few other things. Your manual bgp fusion configuration would also need to be modified. Your routing tables would have to update. The EBNs would need updated config from DNAC as well. This would definitely be a heavier lift and migration. I am sure I am missing some other items as well. Anyways, I HTH!

View solution in original post

ammahend · ‎04-08-2020

The idea of VN is equivalent to VRF, means devices in a VN will only be able to talk to devices in its own VN (VRF), unless there is a route leak between both VN (VRF).

so if you think your IOT devices has no business ever talking to clients then sure go with 2 VNs, and third will off our end be global routing table which has your dhcp, dna, ntp etc.

you can use 2 routers for redundancy as per this design guide by cisco

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/213525-sda-steps-to-configure-fusion-router.html

-hope this helps-

Nik. · ‎04-08-2020

Thanks for your fast reply.

If some clients have to connect to the IoT devices to receive data etc. a single VN with a SGT (or multiple SGTs) for the IoT devices would be the better choice?

ammahend · ‎04-08-2020

if you do a single VN you can still do micro-segmentation within that VN between clients and IOT devices so you still have a sense of good segmentation, so its not that bad.

If you keep both of them in different VN, it will give you option to scale better and make more precise policy in case you add more variety of IOT devices or different user based in roles.

-hope this helps-

Mike.Cifelli · ‎04-08-2020

Adding additional considerations:
I read that I can use a firewall or a dedicated device as a Fusion Router (or even my core switch?).
-IMO you can as long as the device supports vrf-lite & bgp. When we first started to play with SDA we actually had the idea of using 5555-X firewalls. Tricky part was figuring out how to leak between them with an internal shared vlan with assigned static MACs to get context a (vn1) to talk to context b (vn2). We now in production use two 9500-16X cat devices.

As far as segregating hosts and networks I think that this comes down to your design requirements. Which do you feel most comfortable with? Relying on CTS for east/west segmentation or manual route leaking up at the fusions. Note that your paths would be greater if hostA in VN1 needs to get to hostB in VN2 even if connected on same device. I would attempt to find a happy medium of what fits your environment best. Good luck & HTH!

Nik. · ‎04-08-2020

Until now I don't see any advantage using a separate VN for IoT devices to be honest.

As @ammahend mentioned micro-segmentation is still possible with a single VN and multiple SGTs.

So to my understanding connecting a second VN is more complex and requires more manual configuration (Fusion Router) but does not increase security or functionality?

Since I have to start from scratch I could use a single VN and multiple SGTs for segmentation (including IoT and clients).

If I have to add hundreds of IoT devices in the future for example it would be still possible to add another VN and move all the IoT devices?

Mike.Cifelli · ‎04-08-2020

As @ammahend mentioned micro-segmentation is still possible with a single VN and multiple SGTs.
-Yes.
So to my understanding connecting a second VN is more complex and requires more manual configuration (Fusion Router) but does not increase security or functionality?
-VNs completely segregate IP pools belonging to them by creating a separate virtual routing instance on your device. The same as a VRF would do. So one VN would not know about the other VN. Essentially if a host in VN1 tried to reach a host in VN2 the NADs would default route the traffic to your Fusions since you would be advertising the default route into bgp (between FRs<-->EBNs) so that each respective VN would have a default route. Then you would leak if you wish accordingly. Separate VNs do add another layer of increased security.

If I have to add hundreds of IoT devices in the future for example it would be still possible to add another VN and move all the IoT devices?
-I would not recommend going down this path. You can accomplish this, but there are several things that would need to change. Remember that within DNAC you have to assign SGTs and IP pools to VNs. This would mean that your vlan mapping auth string in your ISE authz profiles would need to be modified so that you can properly onboard hosts. Edge nodes would require re-provisioning to update vlan names, SVIs, and more than likely a few other things. Your manual bgp fusion configuration would also need to be modified. Your routing tables would have to update. The EBNs would need updated config from DNAC as well. This would definitely be a heavier lift and migration. I am sure I am missing some other items as well. Anyways, I HTH!

Nik. · ‎04-08-2020

Thank you very much @Mike.Cifelli I really appreciate your help!

Your answer cleared up the big questionmark I had regarding this topic.