Re: SDA design using FBs as an Enterprise core

hassan_yousif2005 · ‎07-27-2019

Hello

I have a customer who wants to connect his DC access switches directly to the SD-Access border switches. As per Cisco's validated design the border switches should be connected to fusion router/s and we run BGP between them in order to leak traffic between GRT & VRFs and to leak traffic between different VRFs. In this case how can we achieve the solution without adding additional devices ?

The SDA fabric is two tier which means all FE switches are dual homed to two C9500 switches acting as collocated FB/CP.

The customer needs those two C9500 to act as a core for the whole enterprise which means DC ToR access switches ( four ) will be connected to it + All SDA FE switches + Internet router .

Customer doesn't accept the idea of adding additional devices to act as Core or fusion router. So the question is there any alternative to achieve the SDA using the current BoM.

BR
Hassan

tahuja · ‎07-30-2019

Recommendation is to keep it clean by using fusion device to leak routes.

Can you share the topology you are referring with DC TOR switch and Edge devices.

tahuja · ‎07-30-2019

Recommendation is to keep it clean by using fusion device to leak routes.

Can you share the topology you are referring with DC TOR switch and Edge devices.

hassan_yousif2005 · ‎07-31-2019

Thanks Tahuja ,

Please find it attached . We have more than 60 FEs

I need to know if there is a way to implement in this situation. Or is it mandatory to add additional devises ( adding two switches to DC as a distribution layer and at the same time use it as a fusion router to leak routes ).

BR

Hassan

ChuckMcF · ‎08-12-2019

I haven't had a chance to try this out yet however you can configure ports on Edge Node devices as type "Server". MY ASSUMPTION on this is that they can be trunk ports to allow your servers to talk to different gateways. Again I haven't tested this yet but it MAY be possible. Of course all of the server networks would need to be part of the current SDA Fabric.

You still need the FRs and EBNs/CPNs to get outside of the fabric (Internet, other non-fabric nodes etc.). We used 9500-16X-A switches to do this because they are a less expensive option. You could just buy another 9500-16X-A as a core switch and connect your server ToR switches to it and connect that to the SDA FRs if the server ports in the ENs don't work as I hope they do.

Good luck. If you are able to test the Server port configuration in the EN Onboarding please update this thread so we know if it was successful.

Chuck

drumfrodo · ‎08-23-2019

While this is definitely not a design I would recommend, since it merges the DC network module and the Client Access network module into a single layer and fault domain in the overall arthitecture, it is absolutely possible if you look at it purely from a technical standpoint.

On the SDA Border routers you can do the necessary route-leaking inside BGP manually, and you can run MPLS on them and preserve path isolation between VNs (VRFs) outside of the SDA Fabric that way (then you don't need VRF-lite, and a peering for each and every VN/VRF you have). However, I suppose you have a firewall somewhere in your design, which would be a better place to do routing between VNs than just leaking routes on the Borders nodes, since you can then at the same time apply policy between them (and between external destinations, such as the Internet). Remember the SDA Fabric is NOT a firewall, even if SGT-based segmentation can give you the same type of control/isolation as old fashioned ACLs (but agnostic to IP addresses).