Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4436
Views
10
Helpful
5
Replies

SDA L2 Handoff Outside of Fabric

dm2020
Level 1
Level 1

‎04-18-2022 01:48 AM

Hi All,

 

I have a design question. We have basic fabric site that consists of 2 x co-located Border/CP nodes and ~ 50 Fabric Edge nodes. We have an L2 only pool that we need to extend outside of our SDA fabric to where a firewall/default gateway is located. From what I can see we have a 3 options to achieve this.

 

1) Install a dedicated Border Node and configure L2 handoff for the required L2 only pool

2) Configure L2 handoff for the required L2 only pool on one of our exiting co-located Border/CP nodes

3) Connect a port(s) on one of our Fabric Edge nodes to the external network and configure it as a standard trunk/access port that carries the L2 only pool VLAN to the external firewall.

 

From what I see all three options achieve the same thing, however I dont know if there any pros/cons when considering which option to use? I understand in all instances that we can only handoff on one border/edge so as not to create a loop which is understood and accepted for the required service.

 

Thanks

2 people had this problem
Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎04-18-2022 02:21 AM 

SDA L2 Handoff Outside of Fabric

I take this as outside fabric means (not part of the same site right ?

how is another site connected over Layer 3 or Layer 2 ?

 

I prefer outside then I use the below  method :

 

2) Configure L2 handoff for the required L2 only pool on one of our exiting co-located Border/CP nodes

 

If this is Layer 2 - you can handoff directly connect to the network right?

 

or have I misunderstood your requirement?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dm2020
Level 1
Level 1
In response to balaji.bandi

‎04-18-2022 03:12 AM

This is a single location, single fabric site. Outside of the fabric, connected directly to our co-located Border/CP nodes, we have a traditional network layer where we connect external comms and firewalls. We have a requirement to host a number of devices within our SDA fabric but using the a firewall connected to the external network as the default gateway instead of the fabric edge. I understand that we need to deploy an L2 only network to achieve this, the question is what is the best way to extended this L2 only network outside of the fabric?

 

I'm leaning to use one of the co-located Border/CP nodes to do this as it is already connected to the traditional network layer so we just need to enable L2 handoff and extended the required VLAN to the required firewall, however unsure if this is the best way and if we should consider using dedicated border nodes or even a fabric edge to do this.

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to dm2020

‎04-18-2022 09:58 AM

Do you have any high-level diagrams to understand more?

 

or refer good presentation :

 

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKCRS-2811.pdf

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Flavio Miranda
VIP
VIP

‎04-18-2022 03:22 AM

I recommend you to read carfully this document, in case you did not yet:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html#L2_Border_Handoff 

 

L2 handoff must be done for a dedicated equipament and it is not supporteb by fabric Edges.

Vlans 1, 1002-1005, 2045-2047, and 3000-3500 are dedicated to DNAC and must no be used outside the fabric.

The default gateway of the L2 segment must be on the Fabric. If you have interface vlan configured on the Legacy network, you must shot it down.

 

0 Helpful

Scott Hodgdon
Cisco Employee
Cisco Employee

‎04-18-2022 02:20 PM

@dm2020 ,

The three options you list there are all valid for extending L2 outside a fabric site. I believe when you try to create an L2 Only IP Pool (really you're creating an L2 Only VLAN as we don't need an IP Pool for an L2 Only option where the gateway is outside the fabric) , there is an informational button that says that you should work with Cisco on this (or something to that effect).

If you work for a Cisco partner, my recommendation is that you submit your design to the SDA Design Desk at https://fwm.cisco.com/applauncher.do#appstore:1 . If you are not a Cisco partner, then please have your Cisco partner of Cisco account team submit the design.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Customers Also Viewed These Support Documents