Solved: Re: SDA Subnet Sizing

dm2020 · ‎05-18-2019

Hi All,

I have a question regarding subnet sizing with SDA

If we were to have ~1000k employees connecting to a LAN, stretched across multiple buildings,using both wired and wired endpoints, then theoretically a single /22 or even /21 subnet would be ok to use as SDA uses a more scalable control-plane architecture.

Are there any gotchas with using large subnets in realword deployments? How would this change of we were to enable L2 flooding on the associated IP pool? Would we need to use smaller subnets or are larger subnets still ok to use?

Scott Hodgdon · ‎05-18-2019

dm1981,

You are right that you could have one large subnet for everyone.

However, there are some instances where you might want smaller subnets assigned to specific groups of users. You gave a good example with L2 Selective Flooding, where you enable this on a per-subnet basis. If you don't want the flooding for the whole subnet, then you would have to break it up to focus on just the users / devices that need the flooding service.

Another example is NAT services once the user packet leaves the fabric. If certain users / devices need unique NAT policies, then using one large subnet would complicate that.

My general rule is to assign subnets to each group as defined by an SGT, as these are the distinct groups of users / devices that usually have policy rules enforced between them. While SGTs are IP agnostic (and IP version agnostic), in my view it makes sense to have a unique subnet per SGT for simplicity sake. Since IP Pools (subnets) are fabric site specific and are stretched between all fabric edge nodes in a site (as you astutely pointed out), the number of subnets should still be much lower compared to a traditional network even when assigning one subnet per SGT.

Cheers,

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

View solution in original post

Scott Hodgdon · ‎05-18-2019

dm1981,

You are right that you could have one large subnet for everyone.

However, there are some instances where you might want smaller subnets assigned to specific groups of users. You gave a good example with L2 Selective Flooding, where you enable this on a per-subnet basis. If you don't want the flooding for the whole subnet, then you would have to break it up to focus on just the users / devices that need the flooding service.

Another example is NAT services once the user packet leaves the fabric. If certain users / devices need unique NAT policies, then using one large subnet would complicate that.

My general rule is to assign subnets to each group as defined by an SGT, as these are the distinct groups of users / devices that usually have policy rules enforced between them. While SGTs are IP agnostic (and IP version agnostic), in my view it makes sense to have a unique subnet per SGT for simplicity sake. Since IP Pools (subnets) are fabric site specific and are stretched between all fabric edge nodes in a site (as you astutely pointed out), the number of subnets should still be much lower compared to a traditional network even when assigning one subnet per SGT.

Cheers,

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

tomalexis · ‎08-28-2019

Tagging on to this post.

With SDA/TRUSTSEC and ISE in the mix .

Try to look at options.
lets say you have a SGT for headless devices - cameras, HVAC, badge readers etc. So are you saying that create a VLAN/subnet for each of them ?

So, then what do you put as the default VLAN on a switch ?

Do you split the ports between these VLANs/subnets ? or use a default VLAN/subnet, and then let ISE do the VLAN change after profiling ? In the past, VLAN change was not advised due to some clients not doing well after a VLAN change ?

Same thing with windows machine - if it has not done a user auth, then machine auth happens and you assign lets vlan X, then the user logs in and you determine he is part of specific SGT group, then you have to move the user to a different VLAN/subnet and the ip has to change.

Is there a trade off there ? in some cases especially with a PC, why not keep the same ip /subnet and not change even if they change SGTs membership.