cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1186
Views
6
Helpful
9
Replies

SD-Access, VN with multiple IP pools

Hi colleagues,

 

I was wondering whether anyone has come across the following situation, related to migration of a standard LAN to SDA.

 

In the traditional LAN (typical 2-tier with L3 on the core and L2 downstream on the access) there could be multiple VLANS serving the same client types on different access-switches (worst case - a VLAN per access switch). Looking at the transition to SDA, and where we can't change existing used IPs, what are the options?   Any thoughts pls?    

 

Thanks,

Guy

9 Replies 9

Scott Hodgdon
Cisco Employee
Cisco Employee

@GuyJCRaymakers40943 ,

This is a very typical request for migration where IP subnets must be both in and out of the fabric at the same time. I recommend having a look at the SD-Access Migration sessions in the Cisco Live On-Demand Library, specifically:

  • Real World Route/Switch to Cisco SD-Access Migration Tools and Strategies - BRKCRS-3493 Event: 2020 Digital APJC
  • Updated Cisco SD-Access Migration Strategies - BRKENS-2008 Event: 2021 Digital
  • Cisco SD-Access Integrating with Your Existing Network - BRKCRS-2812 Event: 2020 Barcelona
As far as having multiple IP Pools in the same VN, that is not a problem at all. It has been supported since Day 1 of SDA.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Thanks Scott,

Indeed - the multiple IP pools in a VN is OK - just having i.e. 10 IP pools for the same user community (example "employees"), not sure how to deal with that from an ISE policy point of view (authorization VLANs?). So perhaps this is more an ISE question than SD-Access...

 

I'll take a look at the listed CL sessions.

 

Cheers,

Guy

 

 

@GuyJCRaymakers40943 ,

Yes, ISE will assign a VLAN based on the authentication result and then that VLAN is mapped to a VN (aka VRF) on the SVI. 

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Hi Scot, 

 

Indeed - so in the scenario where you end up, in SDA (not traditional networking), with multiple VLANS for the same user community within the same VN - how do you craft the ISE policy so that users are shared across these multiple vlans after they authenticated?   That's really the scenario i'm looking into.

 

user "employees" and I have vlan names employee_1, employee_2, employee_3, employee_4, etc..

 

Best regards,

Guy

@GuyJCRaymakers40943 ,

In ISE there will be policy sets that will assign a VLAN based on the authentication / authorization information or perhaps even device profiling (or both). So perhaps the VN "Employees" has VLANs for HR, Sales, Engineering, Finance, IT, etc, and the employees in those groups are assigned to those VLANs when they are authenticated by ISE.

Have a look at the Policy Sets chapter at https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_segmentation.html#ID37 . If you can get yoru hands on a a demo ISE in dcloud.cisco.com or developer.cisco.com (see the sandboxes), then that will help you look at the GUI to better understand what is being discussed in the admin guide.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Thanks Scott,

 

Let me add one more layer - in my example assume all users are Engineering and they need to get "distributed" across these multiple vlans (on SDA). How would we do that in ISE?

 

Cheers,

Guy

@GuyJCRaymakers40943 ,

I do not know the inner workings of ISE (not my area of focus), so you may want to follow up with this in the ISE community. That said, the way I believe it works is to add user/device profiles to specific groups in ISE and then those groups are associated with specific policy sets. 

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Hi Guy

You can archive that one by putting the switches into different location groups. You also have to define different AuthZ Result with the different Vlan assigned.

Then you can make policy sets based on the location of the switches.

For example if Engineer A connected to Switch in Location A he gets Engineer-VLAN-A assigned.

Hi

if it's for specific SGT assignment u always can differentiate endpoint with specific attribute as belonging to specific ID-group :0)

does it make sense for u in your case?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: