cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
123
Views
10
Helpful
4
Replies
Beginner

SDA subnet sizing

With SDA/TRUSTSEC and ISE in the mix .

Try to look at options. 
lets say you have a SGT for headless devices - cameras, HVAC, badge readers etc. So are you saying that create a VLAN/subnet for each of them ? 

So, then what do you put as the default VLAN on a switch ? 

Do you split the ports between these VLANs/subnets ? or use a default VLAN/subnet, and then let ISE do the VLAN change after profiling ? In the past, VLAN change was not advised due to some clients not doing well after a VLAN change ? 

Same thing with windows machine - if it has not done a user auth, then machine auth happens and you assign lets vlan X, then the user logs in and you determine he is part of specific SGT group, then you have to move the user to a different VLAN/subnet and the ip has to change. 

Is there a trade off there ? in some cases especially with a PC, why not keep the same ip /subnet and not change even if they change SGTs membership.

4 REPLIES 4
Beginner

Re: SDA subnet sizing

Multiple Scenarios and end result can be achieved following multiple approaches:


* Legacy approach is to create a new VLAN for every new set of devices.
* Creating a new vlan doesn’t change anything till the time that VLAN forwards to same VRF. If full separation is needed then yes one needs to create a new IP address pool, and the SVI for that address pool will forward to a new VRF which separates that traffic logically.
* Splitting the ports/vlan change/posture/profiling triggering a vlan change is all which works, but one needs to tweak and make decisions basis the kind of end devices in use and tweak the port level config accordingly from DNA Center. For example a polycom device could behave differently compared to Avaya or Cisco w.r.t MAB or COA.
* SD Access approach could be different, since if you have a close auth mode, there is a pre-auth ACL blocking everything doesn’t matter whichever default vlan you are in and once auth happens you get the desired vlan.
* Now SGTs, put everyone in the same vlan (same VRF) and just move with SGTs from the ISE perspective is also an option.

In short, there are features, different vlans but same vrf, different vlans and different vrf, dynamic vlans, static vlans, static SGTs, dynamic SGTs, Post based SGTs, so on and so forth 😊 SGTs one can play the way they wish to with all of the above.
Highlighted
Rising star

Re: SDA subnet sizing

I am going to provide some guidance based on your concerns/questions in order:

Try to look at options.
lets say you have a SGT for headless devices - cameras, HVAC, badge readers etc. So are you saying that create a VLAN/subnet for each of them ?
-This depends on your requirements, and on how you build out your VNs in your fabric. A few things to consider are:
Do you want the "headless" devices in the same routing instance? Do any of these devices need to communicate east-west? If they do, I recommend keeping them in the same IP pool with one SGT or multiple IP pools with several SGTs, but in the same VN. Splitting these devices up into separate IP pools and separate VNs would mean that in order to communicate you would have to leak the traffic at your fusion/s router. The more you split them up IMO then you may face more admin overhead from a trustsec/route leak perspective.

So, then what do you put as the default VLAN on a switch ?
DNAC will automatically deploy the default data and voice vlan. Right now the default data vlan that will get provisioned to your edge nodes will be 2047 and the default voice vlan is 4000. You can create templates in DNAC to modify these configs, but note that every time you provision you will have to use the template again as the configs will get overridden. I believe Cisco is working on allowing engineers to create their own "closed auth" template that you can use to provision all nodes.

Do you split the ports between these VLANs/subnets ? or use a default VLAN/subnet, and then let ISE do the VLAN change after profiling ? In the past, VLAN change was not advised due to some clients not doing well after a VLAN change ?
I would rely on ISE to push policy to your SDA fabric. This process will be similar to policy push in a legacy environment. Note that you have the option to statically configure ports in DNAC for their respective VN, IP pool/SGT. Your ports will have the Cisco DNAC "default" configs based on the DNAC Auth Template you decide to use. In order to make changes you will need to create templates as mentioned earlier.

Same thing with windows machine - if it has not done a user auth, then machine auth happens and you assign lets vlan X, then the user logs in and you determine he is part of specific SGT group, then you have to move the user to a different VLAN/subnet and the ip has to change.
I would recommend using DHCP since it seems that your intention will be to move the workstation/user based on different eap-chaining results.

Is there a trade off there ? in some cases especially with a PC, why not keep the same ip /subnet and not change even if they change SGTs membership.
Perfect example IMO: Let's pretend you are using Cisco AnyConnect NAM to accomplish both user & computer auth via eap-chaining with eap-fast. Upon successful computer + user authentication/authorization you move them into your core business network (VN/IP pool/etc.) that may have internet access, which is required per business policy. Then once the user terminates session the eap-chaining result would move to computer pass + user fail. This is where you could move the computer to a restricted network that has access only to internal resources (WSUS/DC/SCCM/etc.). Benefit here would be that your hosts would not always be internet accessible increasing security. Obviously from an SGT perspective maybe you want users to have the ability to go east-west, but at night when nobody is present you want the computers to NOT have the east-west ability which you could enforce with different SGT and IP pool move. Anyways, your last question is a design/requirement decision.
Good luck & HTH!
Beginner

Re: SDA subnet sizing

Thanks for the comments MIke. its useful. 

What I am saying is that lets its a brown field where a customer already had legacy network and multiple building, floors. Generally everything is lumped together in a single floor - printers, hvac, cameras, pcs etc. phones may be in a different vlan...

How have people migrated to SDA from that construct of VLANs ? 

My questions is why change VLANs and have all the issues of changing VLANs like printers are generally sensitive and other devices as well . why not change SGT ? a more cleaner way in my opinion ? what are the benefits of allocating different VLANs/ ip subnets ? looking for real world experiences on how this was done ? I can imagine that we need more than one vlan, but looking for how others have carved out subnets etc...

Rising star

Re: SDA subnet sizing

I think other items you need to consider before answering how to build out the IP structure (meaning new or existing ranges) is if you are going to build your SDA network in parallel to the existing network OR if you are going to migrate devices in place with a scheduled cut-over. Carving things up and using different SGTs for different nodes allows more granular control of east-west traffic. Check out some of Cisco live docs to get a better understanding: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKCRS-2812.pdf

HTH!
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards


This widget could not be displayed.