cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2420
Views
15
Helpful
7
Replies

Upgrading Network Infrastructure from Legacy to Cisco SDA

techno.it
Level 1
Level 1

We are preparing a design for a customer to upgrade there outdated network infrastructure ( 900+ nodes) and this primarily includes deploying Cisco SDA and DNAC.

The current design is fairly very simple and straightforward. It consists of two 6509 Cisco switches as Collapsed core and Edge Switches are mixed of 2960s and 3500s
Core switches are configured as HSRP Active/Standby and Active Core switch is root bridge for all vlans.

VLANs are segmented as per department wise and all vlans are configured and spanned through out all switches.
Servers are connected to dedicated access switches with an uplink to core switches

We need to know
- What licensing is required on Cat 9k switches
- Which switch models we suppose to buy ?
- How to make proper subnet sizing ?
- What is fusion router ? Do we need in our case ?
- Where to place and connect existing servers and firewall to fabric ?
- Is it mandatory to have ISE with DNAC ?


Any leads on this would really help us a lot.

 

 

7 Replies 7

techno.it
Level 1
Level 1

Anyone please ?

Mike.Cifelli
VIP Alumni
VIP Alumni
I am going to provide some answers and opinions on what you need/should know. I am going to try to keep it somewhat short because I could type quite a bit on this post:
First off, if you are planning on going all in with the SDA architecture you will want to plan on having ISE. ISE will provide you the ability to manage and utilize trustsec (major component in SDA) and develop network policy for authc and authz purposes. I would strongly suggest talking to your Cisco rep to identify your needs in regard to an ISE cluster + all the licensing you will need.
- What licensing is required on Cat 9k switches
If you are wanting all of the features you will need Network Advantage + DNA Premier per NAD. Again, reach out to your rep.
- Which switch models we suppose to buy ?
See the guides below. The important thing here is to focus/determine what your requirements are.
- How to make proper subnet sizing ?
Can't really answer this without knowing full requirements. Something to consider when planning: In order for one VN to reach another VN traffic will have to traverse your fusion router where from a higher level you route leak as you wish. In order for an IP pool to talk to another IP pool in the same VN you would control this via trustsec. Similar to how you would manage east-west for hosts in the same IP pool. Strongly consider checking out the documentation, talking to reps, or checking out Cisco Live presentations.
- What is fusion router ? Do we need in our case ?
Yes you will need this. The fusion's role essentially allows you to leak between VNs, route beyond/outside of your fabric, and advertise DFR information to your EBNs.
- Where to place and connect existing servers and firewall to fabric ?
Hard to answer without knowing your environment. Typically these items would sit outside of your fabric. However, you are able to add servers to your SDA design if you wish.
- Is it mandatory to have ISE with DNAC ?
Answered this above.

Helpful links:
SDA Compatibility matrix: https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-matrix.html
SDA Ordering Guide: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/guide-c07-739242.html
SDA Design Guide: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Design-Guide-2019SEP.pdf
ISE info: https://www.cisco.com/c/en/us/support/security/identity-services-engine/tsd-products-support-series-home.html

Good luck & HTH!

Thanks Mike for the detailed reply.

1. So all the data center part like Servers, Firewalls, ISE, DNA, Active Directory, WLAN controllers or any other shared services should be behind the fusion device.

2. Default route to external network will be configured on Border Node (control plane) or fusion device 

3. Do we need create a different VN for voice, CCTV, access controler and other low current systems ? In legacy approach, we were creating VLANs. With SDA, how do we handle them in fabric ?

 

Thanks

 

techno.it,

I am not Mike, but I can answer these :-)

1. Yes. The shared services components like ISE, DNAC, DHCP, AD will still reside where they normally reside in the Data Center. As for WLCs, this depends on the design. If you have just a single site, then most likely the WLCs will reside in the DC. If you have a multi-site design, then each site requires a WLC presence and usually this is local to the site. However, we have enabled WLC embedded in a Cat9K for these designs, so you would not need to buy separate hardware for WLC support at each site.

2.It would be per-VRF and would probably be advertised from the fusion to the border. We never leak a default into the fabric control plane. 

3. You can if you want, but you do not have to. The virtual network design is really up to the customer. Some customers use more VNs with SGTs inside each VN while some have a single VN and segment everything by SGT. Both are valid designs.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

Scott Hodgdon
Cisco Employee
Cisco Employee

techno.it,

Migrating to an SD-Access architecture usually involves a design discussion with the customer and partner to evaluate the proper equipment, topology and features. I can answer your questions, but most likely you will need to work with a Cisco SE or TSA in your area on the design. They can also reach out to someone like myself as we have people  that specialize just in SD-Access design for customer / partner support.

As to your questions:

- What licensing is required on Cat 9k switches ?

ANSWER : A minimum of DNA Advantage is needed, but DNA Premier is often chose as it includes ISE Base and ISE Plus licenses for the clients.

- Which switch models we suppose to buy ?

ANSWER: This depends on what the client requires for density, network topology, fiber aggregation, Cisco SD-Access client scale, etc. Almost all of the Cisco SD-Access designs on which I have worked have involved purely Catalyst 9K switches playing the various fabric roles of Fabric Border, Fabric Control Plane and Fabric Edge. However, those are not the only devices that support a Cisco SD-Access fabric.

- How to make proper subnet sizing ?

ANSWER: This is one of those areas that is not really possible to go into here. This is really up to the customer and is sometimes restricted by the customer's current IP address scheme and device capability. Some customers have statically addressed devices that they cannot change, and so this impacts how the IP subnetting is done.

- What is fusion router ? Do we need in our case ?

ANSWER: Again, without have a complete design it is hard to answer this. The Fusion device can be a switch, router or firewall where intra-VRF and/or inter-VRF policy is applied. Whether you need one or not will depend on other factors as well.

- Where to place and connect existing servers and firewall to fabric ?

ANSWER: If the firewall is the fusion device, then it can be directly attached to the Fabric Border nodes. Usually servers are connected to a services block for redundancy as we do not support StackWise Virtual with a Fabric Border node (yet ... being worked on). Again, this would come out as part of a design discussion.
- Is it mandatory to have ISE with DNAC ?

ANSWER: Yes, but ISE can integrate with other systems as well if you want to do the authentication somewhere else and pass the result to ISE so that it can apply the proper Scalable Group Tag (SGT) to the user / device traffic.

See https://community.cisco.com/t5/networking-documents/sd-access-resources/ta-p/3812030#Design for a lot of information on Design and Deployment options.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

Thanks Scott.

Just want to clarify last few things before closing this thread. We will validated the design offline with Cisco Tech Team.

 

1. Can we connect DC/Server Farm access switches directly to the SDA border switches. 

2. If we acquire DNA premier license with 9k switches, what license we need to buy with ISE appliance.

 

techno.it,

1. You can, but it is not Best Practice. It would require VN leaking on the Border, which we support but do not recommend.

2. DNA Premier has ISE Base and ISE Plus. I know there is an ISE Apex license, but not sure what that is for or if you need one for each client. I don't work in the ISE team or sales, so ISE licensing is not well known to me. Please work with the Cisco Account Team on this. It may be beneficial to look at an EN Enterprise Agreement for this project, as I believe it would remove some of the licensing questions. Again, please address this with the Cisco Account Team.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

Review Cisco Networking for a $25 gift card