10-13-2019 01:09 PM
We are preparing a design for a customer to upgrade there outdated network infrastructure ( 900+ nodes) and this primarily includes deploying Cisco SDA and DNAC.
The current design is fairly very simple and straightforward. It consists of two 6509 Cisco switches as Collapsed core and Edge Switches are mixed of 2960s and 3500s
Core switches are configured as HSRP Active/Standby and Active Core switch is root bridge for all vlans.
VLANs are segmented as per department wise and all vlans are configured and spanned through out all switches.
Servers are connected to dedicated access switches with an uplink to core switches
We need to know
- What licensing is required on Cat 9k switches
- Which switch models we suppose to buy ?
- How to make proper subnet sizing ?
- What is fusion router ? Do we need in our case ?
- Where to place and connect existing servers and firewall to fabric ?
- Is it mandatory to have ISE with DNAC ?
Any leads on this would really help us a lot.
10-13-2019 11:36 PM
Anyone please ?
10-15-2019 08:26 AM
10-19-2019 05:58 AM
Thanks Mike for the detailed reply.
1. So all the data center part like Servers, Firewalls, ISE, DNA, Active Directory, WLAN controllers or any other shared services should be behind the fusion device.
2. Default route to external network will be configured on Border Node (control plane) or fusion device
3. Do we need create a different VN for voice, CCTV, access controler and other low current systems ? In legacy approach, we were creating VLANs. With SDA, how do we handle them in fabric ?
Thanks
10-21-2019 04:26 AM
techno.it,
I am not Mike, but I can answer these :-)
1. Yes. The shared services components like ISE, DNAC, DHCP, AD will still reside where they normally reside in the Data Center. As for WLCs, this depends on the design. If you have just a single site, then most likely the WLCs will reside in the DC. If you have a multi-site design, then each site requires a WLC presence and usually this is local to the site. However, we have enabled WLC embedded in a Cat9K for these designs, so you would not need to buy separate hardware for WLC support at each site.
2.It would be per-VRF and would probably be advertised from the fusion to the border. We never leak a default into the fabric control plane.
3. You can if you want, but you do not have to. The virtual network design is really up to the customer. Some customers use more VNs with SGTs inside each VN while some have a single VN and segment everything by SGT. Both are valid designs.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking Group
10-21-2019 04:15 AM
techno.it,
Migrating to an SD-Access architecture usually involves a design discussion with the customer and partner to evaluate the proper equipment, topology and features. I can answer your questions, but most likely you will need to work with a Cisco SE or TSA in your area on the design. They can also reach out to someone like myself as we have people that specialize just in SD-Access design for customer / partner support.
As to your questions:
- What licensing is required on Cat 9k switches ?
ANSWER : A minimum of DNA Advantage is needed, but DNA Premier is often chose as it includes ISE Base and ISE Plus licenses for the clients.
- Which switch models we suppose to buy ?
ANSWER: This depends on what the client requires for density, network topology, fiber aggregation, Cisco SD-Access client scale, etc. Almost all of the Cisco SD-Access designs on which I have worked have involved purely Catalyst 9K switches playing the various fabric roles of Fabric Border, Fabric Control Plane and Fabric Edge. However, those are not the only devices that support a Cisco SD-Access fabric.
- How to make proper subnet sizing ?
ANSWER: This is one of those areas that is not really possible to go into here. This is really up to the customer and is sometimes restricted by the customer's current IP address scheme and device capability. Some customers have statically addressed devices that they cannot change, and so this impacts how the IP subnetting is done.
- What is fusion router ? Do we need in our case ?
ANSWER: Again, without have a complete design it is hard to answer this. The Fusion device can be a switch, router or firewall where intra-VRF and/or inter-VRF policy is applied. Whether you need one or not will depend on other factors as well.
- Where to place and connect existing servers and firewall to fabric ?
ANSWER: If the firewall is the fusion device, then it can be directly attached to the Fabric Border nodes. Usually servers are connected to a services block for redundancy as we do not support StackWise Virtual with a Fabric Border node (yet ... being worked on). Again, this would come out as part of a design discussion.
- Is it mandatory to have ISE with DNAC ?
ANSWER: Yes, but ISE can integrate with other systems as well if you want to do the authentication somewhere else and pass the result to ISE so that it can apply the proper Scalable Group Tag (SGT) to the user / device traffic.
See https://community.cisco.com/t5/networking-documents/sd-access-resources/ta-p/3812030#Design for a lot of information on Design and Deployment options.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking Group
10-21-2019 10:38 AM
Thanks Scott.
Just want to clarify last few things before closing this thread. We will validated the design offline with Cisco Tech Team.
1. Can we connect DC/Server Farm access switches directly to the SDA border switches.
2. If we acquire DNA premier license with 9k switches, what license we need to buy with ISE appliance.
10-22-2019 04:40 AM
techno.it,
1. You can, but it is not Best Practice. It would require VN leaking on the Border, which we support but do not recommend.
2. DNA Premier has ISE Base and ISE Plus. I know there is an ISE Apex license, but not sure what that is for or if you need one for each client. I don't work in the ISE team or sales, so ISE licensing is not well known to me. Please work with the Cisco Account Team on this. It may be beneficial to look at an EN Enterprise Agreement for this project, as I believe it would remove some of the licensing questions. Again, please address this with the Cisco Account Team.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking Group
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide