Brkewn 2020 PDF
Brkewn 2020 PDF
Brkewn 2020 PDF
SD-Access Wireless
Integration
Why and How integrating wireless in SDA
#CLUS
Software Defined Access – Wireless Integration
Session Objective
The goal of this session is to explain the value of SD-Access Fabric and show you how
with SD-Access Wireless you can overcome some of these challenges.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• SD-Access: why would you care?
• SD-Access Wireless Architecture
• Demo: Let’s make it real!
• Under the hood …starting with a golden circle and the question "Why?"
• SD-Access Wireless Design & Deploy Simon Sinek, TED talk, 2009
• Adoption/Migration scenarios
• Key takeaways
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Missed One? Sessions are available online @ CiscoLive.com
Monday (June 11) Tuesday (June 12) Wednesday (June 13) Thursday (June 14)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00
BRKCRS-2815 (2)
Design & Scale
BRKCRS-3811 BRKDCN-2489
Policy Management DC Integration
$60B Spent of
Network
Resources Operations
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Key Challenges for Traditional Networks
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Introducing Software-Defined Access
Policy-Based Automation from Edge to Cloud
Industry Best-Practices Decouple Policy from Network Proactive Issue Identification and
and Policy Compliance Topology Resolution
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Introducing Software-Defined Access
Policy-Based Automation from Edge to Cloud
DN1-HW-APL
DNA Centre Appliance
API Cisco DNA Centre 1.1 API
API
NETCONF
SNMP
SSH
AAA
RADIUS
EAPoL
SD-Access Fabric HTTPS
NetFlow
Syslogs
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
SD-Access Fabric:
Why Would You Care?
What is the Problem?
User Group policy rollout - Today
L2 Switch BYOD
Network Contractor
Touch Points
One SSID
Network Policy
Enterprise Network
SRC DST
PAYLOAD DATA DSCP PROT IP SRC IP DST
PORT PORT
• QoS
• Security
• Redirect/copy
Policy is based on “5 Tuple”
• Only Transitive information
• Traffic engineering • Survives end to end
• etc.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
What is the Problem?
Policy Model Today
Network Policy access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
Enterprise Network
access-list
access-list
access-list
102
102
102
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
SRC DST
PAYLOAD DATA DSCP PROT IP SRC IP DST
PORT PORT
IP
SSID C
ADDRESSES VLAN 20 VLAN 10
User/device info?
SSID A
Locate you IP Address VLAN 30
Identify you “meaning” VLAN 40
Drive “treatment” OVERLOAD SSID B
Constrain you SSID D
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
But What If …
… we could make the IP address Key Assertion
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
You could build and run your network in a simpler way …
Apply Policy irrespectively of network constructs (VLAN, subnet, IP address)
Easily implement Network Segmentation (w/o implementing MPLS)
Provide L2 and L3 flexibility (w/o stretching VLANs)
With a Fabric…
… we could make the IP address Key Assertion
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
What exactly is a Fabric?
A Fabric provides an Overlay network
An Overlay is a logical topology used to virtually connect devices, built on top of
some arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide additional
services, not provided by the Underlay.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
What exactly is a Fabric?
Separation of the “Forwarding Plane” from the “Services Plane”
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
What is unique about SDA Fabric?
Key components
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Locator / ID Separation Protocol
Location and Identity separation
Traditional Behavior -
Location + ID are “Combined”
IP core
192.158.28.101
When the Device moves, it gets a
new IPv4 or IPv6 Address for its new
Device IPv4 or IPv6 Identity and Location
Address represents both 189.16.17.89
Identity and Location Prefix RLOC
1 9 2.158.28.101
192.158.28.101 … ...171.68.226.120
…...171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Mapping
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
What is unique about SDA Fabric?
Key Components - VXLAN
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
What is unique about SDA Fabric?
Key Components – Cisco TrustSec (CTS)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Cisco TrustSec
Traditional Access Control is Extremely Complex
Applications
Enforcement
access-list
access-list
102
102
deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
IP Based Policies - ACLs,
access-list
access-list
102
102
permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
Firewall Rules
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list
access-list
102
102
deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 Propagation
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
Enterprise
Carry “Segment”
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Backbone context through the
network using VLAN, IP
Aggregation Layer address, VRF
Static ACL Limits of Traditional VACL
Routing Segmentation
Access Layer Classification
Redundancy • Security Policy based on Static or Dynamic VLAN
DHCP Scope Topology (Address) assignments
Address • High cost and complex
VLAN maintenance Non-Compliant Voice Employee Supplier BYOD
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Cisco TrustSec
Traditional Access Control is Extremely Complex
Enforcement
Shared Application
Group Based Policies Services Servers
ACLs, Firewall Rules
Enforcement DC Switch
or Firewall
Propagation
Carry “Group” context
through the network Enterprise
using only SGT Backbone
ISE
Classification
Static or Dynamic SGT Campus Switch Campus Switch DC switch receives policy for
only what is connected
assignments
Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag
VLAN A VLAN B
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
What is Unique about SDA Fabric?
Fabric brings Policy Simplification
Fabric breaks dependency between IP and Policy. Separation of Forwarding
and Services planes. In Fabric Polices are tied to User/Device Identity
Overlay
DNA Centre – Automation and Assurance
Overlay encapsulation (VXLAN) • Single User Interface for Fabric Management & Orchestration
Supplier • Policies definition based on User, Device or App Group
Overlay • Design, Deploy and Monitoring and Troubleshooting
control plane
(LISP)
Devices Employee Fabric Overlay – Services plane
• Dynamically connects Users/Devices/Things
• IP is an ID not used for traffic forwarding
• End to End Policies and Segmentation
Underlay
Fabric Underlay – Forwarding plane
• Connects the network elements to each other
• Optimized for traffic forwarding (scalability, performance)
• Networking constructs like IP, VLANs, live here
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
You Convinced me on
Fabric…but still, Why
Integrate Wireless?
Centralized Unified Wireless Network Strengths
ISE / AD
WLC
CAPWAP (Control)
CAPWAP (Data) Network Overlay? CAPWAP
WLC as Mobility
L3 roaming across Campus? Anchor
WLC as mobility
Simplified IP addressing?
Anchor
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Wired Network Strengths
ISE / AD
Scalable and
Distributed Data Plane Reliable
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
SD-Access Wireless Bringing
You the Best of Both Worlds
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
SD-Access Wireless
Architecture
SD-Access Fabric Architecture DNA Controller – Enterprise SDN Controller
Roles and Terminology provides GUI management abstraction via
multiple Service Apps, which share information
NCP
DNA Centre
Group Group Repository – External ID Services
ISE / AD NDP
Repository (e.g.. ISE) is leveraged for dynamic User or
Device to Group mapping and policy definition
Fabric Mode
Control-Plane (CP) Node – Map System that
DHCP WLC manages Endpoint ID to Location relationships.
Fabric Border Also known as Host Tracking DB (HTDB)
Border Nodes – A Fabric device (e.g.. Core)
B B that connects External L3 network(s) to the
SDA Fabric
Control-Plane
Edge Nodes – A Fabric device (e.g.. Access
Intermediate C Nodes or Distribution) that connects wired endpoints
Nodes (Underlay)
to the SDA Fabric
Fabric Wireless Controller – Wireless
Fabric Edge Controller (WLC) fabric-enabled, participate in
Nodes SD-Access Fabric Fabric LISP control plane
Mode APs
Fabric Mode APs – Access Points that are
fabric-enabled. Wireless traffic is VXLAN
encapsulated at AP
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
SD-Access Wireless Architecture
Bringing the best of both architectures by...
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
SD-Access Wireless Architecture 1
Simplifying the Control Plane
DNAC
ISE / AD Automation
Policy DNAC simplifies the Fabric deployment,
Abstraction and
Including the wireless integration component
Configuration
CAPWAP Automation
Cntrl plane
LISP Centralized Wireless Control Plane
Cntrl plane WLC still provides client session management
AP Mgmt, Mobility, RRM, etc.
WLC Same operational advantages of CUWN
B B Fabric enabled WLC:
WLC is part of LISP control plane
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
SD-Access Wireless Architecture 1
Control Plane Node – A Closer Look
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
SD-Access Wireless Architecture 2
Optimizing the Data Plane
DNAC
Automation
ISE / AD DNAC simplifies the Fabric deployment,
Policy Including the wireless integration component
Abstraction and
Configuration
CAPWAP Automation
Cntrl plane Centralized Wireless Control Plane
LISP WLC still provides client session management
Cntrl plane AP Mgmt, Mobility, RRM, etc.
VXLAN Same operational advantages of CUWN
Data plane WLC
B B Fabric enabled WLC:
WLC is part of LISP control plane
LISP control plane Management
C WLC integrates with LISP control plane
WLC updates the CP for wireless clients
Mobility is integrated in Fabric thanks to LISP CP
SD-Access
Fabric Optimized Distributed Data Plane
Fabric overlay with Anycast GW + Stretched subnet
VLAN extension with no complications
Fabric enabled AP: All roaming is Layer 2
AP encapsulates Fabric
SSID traffic in VXLAN
VXLAN VXLAN from the AP
(Data Plane)
Carrying hierarchical policy segmentation starting
from the edge of the network
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SD-Access Wireless Architecture 2
Optimizing the Data Plane: Fabric Edge – A Closer Look
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
SD-Access Wireless Architecture 2
Optimizing the Data Plane: Anycast Gateway – A Closer Look
C
Similar principle and behavior as HSRP / VRRP with a
shared Virtual IP and MAC address
The same Switched Virtual Interface (SVI) is present on
every Edge, with the same Virtual IP and MAC
If (when) a Host moves from Edge A to Edge B, it does
not need to change it’s (L3) Default Gateway! FE A FE B
IP 10.1.1.1
GW 10.1.1.1 GW 10.1.1.1 GW
MAC ab:12:cd:34:ef:56
10.1.1.10 10.1.1.10
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
SD-Access Wireless Architecture 2
Optimizing the Data Plane: Stretched subnets – A Closer Look
10.1.1.10 10.1.1.11
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
SD-Access Wireless Architecture 2
Optimizing the Data Plane: Stretched subnets – A Closer Look
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
SD-Access Wireless Architecture
Simplifying policy and Segmentation
3
B
C
VXLAN
Client A (Data)
FE A SD Fabric
Client B
FE B
IP payload IP 802.11
AP removes the
1 802.11 header
EID SRC: AP
IP payload 802.3 VXLAN UDP
IP DST:FEA
AP adds the
2 802.3/VXLAN/underlay IP
header
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
SD-Access Wireless Architecture
Simplifying policy and Segmentation
3
B
C
VXLAN
Client A (Data)
FE A SD Fabric
Client B
FE B
Hierarchical Segmentation:
1. Virtual Network (VN) == VRF - isolated routing Control Plane + Data Plane
IP payload
EID
802.3 VXLAN UDP
SRC: AP 2. Scalable Group Tag (SGT) – User Group identifier
IP DST:FEA
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
SD-Access Wireless Architecture
Simplifying policy and Segmentation
3
B
C
VXLAN
Client A (Data)
FE A SD Fabric
VRF Red Client B
FE B
Client
FEA does
is placed
a lookup
in the
to
CP toright
locate
VRF client B
EID SRC:AP
SRC:FEA
IP payload 802.3 VXLAN UDP
IP DST:FEA
DST:FEB
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
SD-Access Wireless Architecture
Simplifying policy and Segmentation
3
B
C
VXLAN
Client A (Data)
FE A SD Fabric
Client B
FE B
Client Policy
is carried end
Mapped to VRF to end in the
SGT policy is applied overlay
EID SRC:FEA
IP payload 802.3 VXLAN UDP
IP DST:FEB
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
SD-Access Wireless Benefits
User Group policy rollout
DNA Centre 1. Define Groups in AD
Production AAA
Servers
2. Design and Deploy in DNA-C
DHCP
Create Virtual Network for Corporate
Developer
Servers AD
Define Policies
• Role/Group based
Apply Policies
LAN core • SGT based
Contractor
Touch Point SGT 300
One SSID
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
SD-Access Wireless Benefits
User Group policy rollout
DNA Centre 1. Define Groups in AD
Production AAA
Servers
2. Design and Deploy in DNA-C
DHCP
Create Virtual Network for Corporate
Developer
Servers AD
Define Policies
• Role/Group based
Apply Policies One
LAN core • SGT based Touch
Point
Production Serv. Developer Serv.
L3 Switch
IoT/HVAC Virtual Network SGT 10 SGT 20
Trunk
WLC
Guest Virtual Network Employee
SGT 100
Corporate VN
BYOD
L3 Switch SGT 200
Contractor
Touch Point SGT 300
One SSID
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Benefits of SD-Access
Wireless: another
example
What is the Problem?
Workspace of the Future
What about…
Data Centre WLC
Fully leveraging the speed
of 802.11ac/ax?
WLC AD
AAA LDAP
DNS Campus Mobility everywhere
DHCP
Handling east-west traffic
from tools like Spark room?
And Video, video and
video…
Onbording Sensors and IoT
devices securely
What
Is the
about IP
Centralized Leveraging great innovation
addressing
WLC a at the switch level
design?
pb??
etc...
You need a Distributed Data plane without the complications that normally
comes along in terms of IP addressing, roaming, etc.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
SD-Access Wireless Benefits
Workspace of the future with SDA
Interface VLAN
vrf forwarding Employee
WLC ip address 10.10.10.1/24
Data Centre C B
WLC AD CAPWAP
With SDA
AAA LDAP
DNS DHCP (Control)
Data Plane is distributed and
optimized
SDA Fabric Subnet is everywhere so sub-
IoT device
netting design is SIMPLE
VXLAN
(Data)
Mobility is integrated in the
Fabric
Layer 2 extension for IoT
Interface VLAN
vrf forwarding Employee The
ip address 10.10.10.1/24 advantages
of distributed
DP without
the pain
IoT device
Operation Simplification
DNAC Automation: reduce the management touch points
DNAC Assurance: Proactive monitoring and troubleshooting of the E2E network
Wireless centralized Control Plane – same simplified wireless operations as today
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
What Products Make
This Architecture?
SD-Access Support
Fabric ready platforms for your digital ready network
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
SD-Access Wireless
Platform Support * 8.8 code *with Caveats
3504 WLC 5520 WLC 8540 WLC Wave 2 APs Wave 1 APs
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
SD-Access Platforms For Your
Reference
Edge Nodes
NEW NEW
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
SD-Access Platforms For Your
Reference
Control-Plane Nodes
* Wired Only
NEW
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
SD-Access Platforms For Your
Reference
Border Nodes
* External Border Only
NEW
• Catalyst 3850 • Catalyst 9500 • Catalyst 6800 • ASR 1000-X/HX • Nexus 7700
• 1/10G SFP+ • 10/40G SFP/QSFP • Sup2T/6T • ISR 4300/4400 • Sup2E
• 10/40G NM Cards • 10/40G NM Cards • 6840/6880-X • 1/10G/40G • M3 Cards
• IOS-XE 16.6.3+ • IOS-XE 16.6.3+ • IOS 15.4.1SY4+ • IOS-XE 16.6.3+ • NXOS 8.2.1+
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Demo
SD-Access Wireless
SDA Fabric
2
Control Plane (CP) Fabric WLC
2 • Fabric configuration is pushed to WLC. WLC becomes Fabric aware. Most importantly
WLC is configured with credentials to established a secure connection to CP
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
SD-Access Wireless Basic Workflows
AP Join
1
FE1
B
DNAC
IP Network
Fabric WLC
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
SD-Access Wireless Basic Workflows
AP INFRA_VN
INFRA_VN is introduced to easily onboard APs. APs are in the Fabric overlay but
INFRA_VN is mapped to the global routing table
“AP Provision” and “Layer 2 Extension” are automatically enabled on this special VN
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
SD-Access Wireless Basic Workflows
AP Join
1
FE1
B
IP Network
CDP C
2
2 AP is plugged in and powers up. FE discovers it’s an AP via CDP and applies the macro to
assign the switch port the the right VLAN
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
SD-Access Wireless Basic Workflows
Automatic AP onboarding
In DNAC 1.1 the CDP macro on the FEs for AP onboarding is pushed only if the
switchport No Authentication template is selected:
If any other switchport Authentication template is selected, then use static assignment to map
the APs’ switch ports to the right IP pool
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
SD-Access Wireless Basic Workflows
1
AP Join
FE1
B
IP Network DHCP
2 CDP C
DHCP 3
2 • AP is plugged in and powers up. FE discovers it’s an AP via CDP and applies the macro
to assign the switch port the the right VLAN
3 • AP gets an IP address via DHCP in the overlay. Next, FE registers the AP as a “special”
wired host into the Fabric
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
SD-Access Wireless Basic Workflows
AP Join
FE1 5
B
CAPWAP Join CAPWAP in VXLAN
exchange SDA Fabric
C
CAPWAP traffic 4 7 AP RLOC?
AP EID register 6 AP Check
Fabric WLC
4 Fabric Edge registers AP’s IP address (EID) and updates the Control Plane (CP)
5 AP learns WLC’s IP and joins using traditional methods. Fabric AP joins in Local mode
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
SD-Access Wireless Basic Workflows
AP Join
FE1
B
SDA Fabric
C
8 AP RLOC
AP L2 EID register
Fabric WLC
9
8 Control Plane (CP) replies to WLC with RLOC. This means AP is attached to Fabric and will
be shown as “Fabric enabled”
WLC does a L2 LISP registration for AP in CP (a.k.a. AP “special” secure client registration).
9
This is used to pass important metadata information from WLC to the FE
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
SD-Access Wireless Basic Workflows
AP Join
FE1
B
interface Tunnel 10 SDA Fabric
C
11
AP EID update
Fabric WLC
10 • In response to this proxy registration, Control Plane (CP) notifies Fabric Edge and pass the
metadata received from WLC (flag that says it’s an AP and the AP IP address)
11 • Fabric Edge processes the information, it learns it’s an AP and creates a VXLAN tunnel interface to
the specified IP (optimization: switch side is ready for clients to join)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
SD-Access Wireless Basic Workflows
Client Onboarding
B DNAC
SDA Fabric
Fabric WLC
Admin user defines a Pool for wireless clients in DNAC Design phase. The pool is then
associated to a VN during “Host Onboarding” phase. For a wireless pool, L2 LISP needs
to be enabled.
As soon as the SSID is mapped to the Pool, the WLAN will be enabled and clients will see
the Fabric SSID
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SD-Access Wireless Basic Workflows
Client Onboarding
In DNAC flip the Layer-2 Extension toggle to ON to enable L2 LISP and Layer 2 subnet
extension on the client Pool/subnet. The is required for wireless to work!
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
SD-Access Wireless Basic Workflows
Client Onboarding
FE1 B
CAPWAP in VXLAN
SDA Fabric
C
Client Join
1
Fabric WLC
Client SGT/VNID and RLOC
• Client authenticates to a Fabric enabled WLAN. WLC gets SGT from ISE, updates AP
1
with client L2VNID and SGT. WLC knows RLOC of AP from internal DB
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
SD-Access Wireless Basic Workflows
Client Onboarding
FE1
3
B
Client in FWD
table SDA Fabric
2
Client MAC register Fabric WLC
• Client authenticates to a Fabric enabled WLAN. WLC gets SGT from ISE, updates AP
1
with client L2VNID and SGT.
2 • WLC knows RLOC of AP from internal DB . WLC proxy registers Client L2 info in CP;
this is LISP modified message to pass additional info, like the client SGT
3 • FE gets notified by CP and knows it’s a client; FE adds client MAC in L2 forwarding
table and go and fetch the client policy from ISE based on the client SGT
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
SD-Access Wireless Basic Workflows
Client Onboarding DHCP
DHCP flow
FE1 B
6 SDA Fabric
5
C
4 DHCP packet + L2 vnid
Fabric WLC
6 • Fabric Edge maps L2 VNID to the VLAN interface and forwards the DHCP packet
in the overlay (same as for a wired Fabric client)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
SD-Access Wireless Basic Workflows
Client Onboarding DHCP
7
FE1 B
SDA Fabric
8 C
• DHCP snooping triggers the client EID registration by the Fabric Edge to the CP.
8
(If client has a static IP, then ARP or any other IP packet will trigger the registration)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
SD-Access Wireless Basic Workflows
Client Roams
AP2 B
SDA Fabric
FE2
C Client L2 MAC entry update
1
AP1
1 3
2 Fabric WLC
FE1 Fabric client info sent to AP
2 • WLC updates forwarding table on AP with client info (SGT, L2VNID, RLOC)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
SD-Access Wireless Basic Workflows
Client Roams
Client SVI
20.2.4.1/20
AP2
Client IP, L3 VNI, RLOC IP
B
SDA Fabric
FE2 5
Client SVI C
20.2.4.1/20
AP1
Fabric WLC
FE1 4
4 • CP then notifies
• Fabric Edge FE2 (”roam-to” switch) to add the client MAC to forwarding table pointing to VXLAN tunnel
• Fabric Edge FE1 (”roam-from” switch) to do clean up for the wireless client
• Fabric Border to update internal RLOC for this client
5 • FE will update the L3 entry (IP) in CP data base upon receiving traffic
6 • Roam is Layer 2 as FE2 has the same VLAN interface (Anycast GW)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Wireless and SDA
Deployment Modes
SD-Access Wireless: true integration in Fabric
SD-Access Wireless
ISE / AD DNAC
APIC-EM True wireless integration with Fabric
Provides all the advantages of SDA for
Fabric wireless clients:
enabled WLC
CAPWAP
Cntrl plane B B Full automation with DNAC
Hierarchical segmentation (VRF and SGT)
VXLAN
C Same policy as wired
Data plane
Recommended option
Fabric enabled
APs
Flex APs
Underlay
WLC
WLC is connected outside Fabric (optionally directly to Border)
Fabric VxLAN WLC needs to reside in global routing table – to talk to CP!
Overlay No need for inter-VRF leaking for AP to join the WLC
WLC can only belong to one FD. WLC talks to one CP (two for HA)
FE
Design Notes:
CAPWAP 1) Fabric AP is in local mode, need < 20ms latency between AP & WLC
control
2) If WLC is used also for non-Fabric (mixed mode), considered MAC
Access point and ARP table scale of the directly-connected Border device
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
How to Connect WLC?
Stack or modular switch
Dual switch in VSS mode
Fabric B C
non
WLC
Overlay Fabric
LAG
Service Block
switch
DC or Service Block
WLC side:
Use multiple ports for redundancy and group them in a LAG (Link Aggregation)
Use a pair of boxes and enable Stateful Switch Over – this will double the links to connect to the infrastructure
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
AP to WLC Connection
South-North Traffic Details
172.16.201.202
non CAPWAP
Fabric control WLC
!
match ip address prefix-list WLC_IP When FE receives CAPWAP packet from AP, the FE
ip prefix-list WLC_IP seq 5 permit 172.16.201.0/24 finds a match in the routing table and packet is
forwarded directly with no VXLAN encapsulation
The AP to WLC traffic travels in the underlay
Fabric
Underlay
edge_1#sh ip route 172.16.201.0
Routing entry for 172.16.201.0/24
Known via "isis", distance 115, metric 10, type level-2
FE Redistributing via isis
Last update from 172.16.3.81 on GigabitEthernet1/0/1, 04:43:51 ago
Routing Descriptor Blocks:
* 172.16.3.81, from 172.16.3.254, 04:43:51 ago, via GigabitEthernet1/0/1
CAPWAP Route metric is 10, traffic share count is 1
control
Access point
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
AP to WLC Connection
North-South Traffic Details
172.16.201.202
CAPWAP
non control
Fabric WLC
CAPWAP
! Border to advertise local AP EID space to the
site site_uci
control in VXLAN […] external domain
eid-record instance-id 4097 172.16.3.0/24 accept-more-specifics
exit-site
When Border receives CAPWAP packet from
Fabric WLC, the LISP lookup happens and traffic is
sent to FE with VXLAN encapsulation
Overlay
The WLC to AP traffic travels in the overlay
FE
Access point
172.16.3.7
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
SD-Access Wireless
Design and Deploy considerations
C
B
SDA Fabric
IP Network
Fabric WLC
192.168.1.0/24
WLC Mgmt subnet
WLCs connect external to fabric
Fabric AP joins in Local WLC local to the Site – no support for Flex or WLC over WAN
Latency between AP and WLC < 20 ms
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
SD-Access Wireless
Design and Deploy considerations
AP VLAN C
172.16.3.1/24
B
SDA Fabric
IP Network
172.16.3.110
AP VLAN
Fabric WLC
172.16.3.1/24
EID prefix 172.16.3/24
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
SD-Access Wireless
Design and Deploy considerations
Client VLAN C
192.168.103.1
B
SDA Fabric
IP Network
192.168.103.77
Client VLAN
192.168.103.1 Fabric WLC
192.168.103.71
Client subnets are distributed on Fabric Edge switches
B
SDA Fabric
IP Network
192.168.103.77
Client VLAN
Fabric WLC
10.1.18.0/20
wired host
10.1.18.24
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
SD-Access Wireless
Design and Deploy considerations Dynamic interface
Client VLAN C 172.16.3.5/24
192.168.103.0/24
Fabric SSID
B
SDA Fabric
IP Network
192.168.103.77
Non-Fabric SSID
172.16.3.80
CAPWAP WLAN can co-exist with Fabric-enabled WLAN using same Fabric-
enabled WLC. At FCS this is only supported for Greenfield deployments
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
SD-Access Wireless in
Distributed Campus
Transit
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
SD-Access for Distributed Campus
Integrating wireless C
Fabric WLC
IP Network
Metro Area
B B
Fabric
Transit site VRF-LITE, C Site 3 Fabric WLC
MPLS, B B
IP Network
Fabric WLC
SD-Access* Fabric
Site 2
C
IP Network
B B
First, build a single Fabric Site as you were building a Fabric Domain
in 1.1.x
Fabric Then add multiple sites (up to 200 sites) connected via a Transit site
Site 1 Today (SDA 1.2) each site needs its own physical WLC
WLC only talks to one site Control Plane node (two for redundancy)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
SD-Access Wireless
Guest Design
SD-Access Wireless Guest
One touch Guest solution,
DNAC automated
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
SD-Access Wireless Guest Design
Guest with dedicated Border and Control Plane nodes
C
B
SDA Fabric
Guest VRF DMZ Internet
C B
WLC Guest FB
Complete Control plane and Data plane separation from Enterprise traffic
No additional Anchor WLC: Guest traffic is optimized, sent directly to the DMZ
No Anchor WLC scalability limit (71 tunnels). Scalability depends on Border scale
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
SD-Access Wireless Guest Design
Using the Enterprise Control Plane & Border
C
B
SDA Fabric
Guest VRF DMZ Internet
10.10.10.40
WLC
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
SD-Access Wireless Guest Design
Automated
Anchor-Foreign CUWN Solution in DNAC 1.2
C
B
SDA Fabric
DMZ Internet
CAPWAP
10.10.10.40 CAPWAP/EoIP
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
DNAC 1.2 Guest SSID with Anchor WLC
DNAC 1.2 now supports Guest Anchor configuration for both Central
Webauth (CWA) and Local WebAuth (LWA) with external portal
When provisioning the WLC now user has to option to choose Active
(Foreign) or Anchor WLC
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
SD-Access Wireless
CAPWAP tunnel
SD-Access
Fabric
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
CUWN Over the Top (OTT)
Design and Deploy considerations
C Mgmt Interface
192.168.1.5
B
SDA Fabric SSO WLC
IP Network
172.16.18.x
192.168.1.0/24
WLC Mgmt subnet
WLCs connect external to fabric
Border advertises WLC Management subnet into the Fabric
Border advertises Fabric prefix for AP to the outside IP network
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
CUWN Over the Top (OTT)
Design and Deploy considerations
C
AP VLAN
172.16.18.254/24
CAPWAP tunnel B
SDA Fabric SSO WLC
IP Network
172.16.18.24
AP VLAN
172.16.18.254/24
172.16.18.32 Access Points are in overlay space on Fabric Edge switches. APs get
registered in the Host Tracking Database (CP) as wired clients
One subnet for APs across the entire Fabric in Campus => Simplified
IP design for AP onboarding
Use pool in INFRA_VN to onboard OTT APs (*)
(*) assuming whole deployment is OTT #CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
CUWN Over the Top (OTT)
Design and Deploy considerations
C Dynamic Interface
10.2.7.5/21
CAPWAP tunnel B
SDA Fabric SSO WLC
IP Network
10.2.7.254.35
10.2.7.254.0/21
Wireless Clients Subnet
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
CUWN Over the Top (OTT)
Design and Deploy considerations
C Dynamic Interface
10.2.7.5/21
B
SDA Fabric
IP Network
CAPWAP traffic travels in the underlay from AP to the WLC, and it’s not VXLAN encapsulated. As
with Fabric enabled APs, this is because the WLC destination is known in the underlay so the FE
forwards this traffic directly.
The return traffic, from WLC to AP, is encapsulated at the Border
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
CUWN Over the Top (OTT)
Design and Deploy considerations
C Dynamic Interface
10.2.7.5/21
B
SDA Fabric
IP Network
10.2.7.254.35
active WLC
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
CUWN Over the Top (OTT)
Design and Deploy considerations
C Dynamic Interface
10.2.7.5/21
B
SDA Fabric
IP Network
10.2.7.254.35
active WLC
wired host
10.1.18.24
Communication from a wired host in Fabric to Wireless Client outside fabric will occur through
Internal Border – JUST LIKE TODAY!!
For the Fabric, it is a Fabric host communicating to a known destination external to the Fabric
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
CUWN Over the Top (OTT)
Design and Deploy considerations
External to Fabric.
No need to upgrade
All APs model are code. All features
supported work as today
B
CAPWAP CAPWAP in VXLAN OTT WLC
IP Network
SDA Fabric
Cisco Prime
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
CUWN Over the Top (OTT)
Design and Deploy considerations
External to Fabric.
No need to upgrade
All APs model are code. All features
supported work as today
B
CAPWAP CAPWAP in VXLAN OTT WLC
IP Network
SDA Fabric
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Multicast
SD-Access Fabric
Multicast
non
Fabric
Multicast source Important things to know:
B
FB Multicast traffic is transported in the overlay, in the EID space,
for both wired and wireless clients
Fabric RP
Overlay
To enable multicast for wireless, Global Multicast mode and
IGMP snooping need to to be enabled globally on the WLC
VXLAN tunnels
At FCS, multicast traffic leverages head-end replication to
forward traffic to the Fabric multicast destination
FE2 FE1
VXLAN
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
SD-Access Fabric
How Multicast Works – Multicast Receiver to RP
non
Fabric
Multicast client (receiver) is in the overlay, multicast source
can be outside Fabric or in the overlay as well
Multicast source
B
PIM-SM/PIM-SSM needs to be running in the Overlay
FB
Fabric RP The client sends IGMP join for a specific multicast Group (G)
Underlay
AP encapsulates it in VXLAN and send it to the upstream
PIM join switch.
The Fabric Edge node (FE) receives it and does a PIM Join
towards the Fabric Rendezvous Point RP (assuming PIM-SM
FE is used)
VXLAN
The RP needs to be present in the Overlay as part of the End
point IP space.
IGMP join
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
SD-Access Fabric
How Multicast Works – Multicast Source to RP
Multicast source
non
Fabric The Multicast source will send the multicast traffic on the
interfaces towards the Fabric Border(FB) as it’s the DR for
B Multicast traffic that segment.
FB
The FB receives it and does a PIM Join towards the RP
Fabric RP (assuming PIM-SM is used)
Underlay
PIM join The RP now has the source and receiver information for that
multicast group.
FE
VXLAN
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
SD-Access Fabric
How Multicast Works – Data Plane
Multicast source
non
Fabric From Earlier, The RP now has the source and receiver
information for a particular multicast group.
B
FB The FB will send the multicast source traffic over a VXLAN
tunnel to the RP and the RP will forward that traffic to the FE
Fabric RP over another VXLAN tunnel.
Underlay
VXLAN tunnels FE receives the VXLAN packets, decapsulates, applies policy
and then forwards it again to the AP over an VXLAN tunnel.
The AP removes the VXLAN header and send the original IP
multicast packet into the air.
FE
VXLAN
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
SD-Access Fabric
How Multicast Works Once the first multicast packet is delivered to the FE the
shortest path failover (SPT) happens and the traffic is
forwarded between the FB and the FE directly.
non The FE knows that the FB owns the multicast source based
Fabric
on the first multicast packet received and send a PIM join
Multicast source directly to the FB for that multicast group.
B
FB
FB now knows which FEs have clients that requested the
Fabric RP specific multicast Group.
Overlay
It performs headend replication and VXLAN encapsulates the
multicast traffic and unicasts it to the interested FEs
VXLAN tunnels
The multicast traffic is sent in the overlay
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
High Availability in SD-
Access Wireless
SD-Access Wireless HA
Control Plane Redundancy
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
SD-Access Wireless HA
CP Redundancy
Client updates
C C
B
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
SD-Access Wireless HA
WLC Redundancy with SSO
Active Standby
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
SD-Access Wireless HA
WLC Redundancy with SSO
Active
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Branch Design
SD-Access Wireless – Branch Design
Dedicated Branch Fabric Domain Per branch Fabric:
dedicated FB, CP and WLC
ISE / AD DNAC WLC local WLC
Internet
C B
Benefits:
Support for any WAN link latency
Campus Fabric Direct Internet Access available
Considerations
Need a local WLC (Today only option is a physical WLC, e.g. 3504)
Limited scalability in DNAC1.1 in terms of number of branches (10 Fabric
domains). In DNAC 1.2 limitation is removed with Distributed Campus
WAN needs to support MTU> 1554f SDA transit
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
New in DNAC 1.2 / SDA 1.2
New Features in SDA 1.2
Default RF Profile
Band Select
5GHz only SSID (Radio Policy)
Hidden SSID
Override PSK (PSK per site)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
DNAC 1.2 Advanced RF ( Default RF Profile)
1
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
DNAC 1.2 Advanced RF ( Band Select)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
DNAC 1.2 Advanced RF (5GHz only SSID)
Radio Policy configuration
5GHz only will apply Radio policy 802.11a
only to the WLAN.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
DNAC 1.2 Advanced RF ( Hidden SSID)
Admin has the option to hide SSID so that
SSID is not broadcasted.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
DNAC 1.2 Advanced RF (Override PSK)
1
In DNAC 1.2, PSK for SSID can be site
specific. Each site can have different PSK
SSID.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
DNAC 1.2 Advanced RF (Override PSK)
3
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
DNAC 1.2 : PnP for AP Provisioning
DNAC 1.2 supports PnP for APs (AP sensor is there already in 1.1.x)
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
DNAC 1.2 : PnP for AP Provisioning (Cont..)
2 Select the AP and claim device
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
DNAC 1.2 : PnP for AP Provisioning (Cont..)
4 AP gets the PnP config with WLC details from DNAC and will be in Onboarding
state for a bit and the Success
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
SD-Access Wireless
Adoption/Migration
Scenarios
SD-Access Wireless Adoption
It’s a journey….
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
SD-Access Wireless Adoption 1
What You Need to Know
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
2
SD-Access Wireless Adoption
New Cisco Wireless Customer
Recommended
No No
“Pure CUWN
wireless” play
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
2
SD-Access Wireless Adoption
Existing Cisco Wireless Customer
Brownfield
Existing Cisco
Yes Value prop Yes • Isolated building/Campus in one
Wired for SD- Migration to SDA shot (equivalent to Greenfield)
Wireless Access
SDA? wireless
customer Wireless? • Multiple buildings with nomadic
roaming (*)
No No
(*) Nomadic and seamless roaming here refers to roaming between Fabric and non-Fabric wireless deployments.
Nomadic Roaming = same SSID, but client’s IP addressing changes
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
SD-Access Wireless Adoption 2
Migration for an Existing CUWN Deployment
CAPWAP Control and Data
DHCP ISE
Non Fabric
Cisco Prime
Area 1
Area 2
Services Block
Non Fabric
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
SD-Access Wireless Adoption 2
Migration for an Existing CUWN Deployment
CAPWAP Control and Data
DHCP ISE
Non Fabric
Cisco Prime
Area 1 DNAC
Area 2 C
Services Block
CAPWAP B
SD Fabric
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
SD-Access Wireless Adoption 2
Migration for an Existing CUWN Deployment
DHCP ISE
Non Fabric
Cisco Prime
Area 1 DNAC
No seamless
roaming
Area 2 VXLAN C
(Data) Services Block
CAPWAP Cntrl B
SD Fabric
SDA WLC
1 Discover existing WLC to DNAC – Learn configuration (e.g. SSIDs) and populate DNAC
2 Add a dedicated WLC for SD-Access and provision it to the site (can re-use the configuration inherited from old WLC)
3 on CUWN WLC, configure the APs in the area to join the new Fabric WLC
CAPWAP Control
4 APs in the area will join Fabric WLC. From DNAC provision APs to the Fabric site
VXLAN
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
SD-Access Wireless Adoption
Brownfield WLC support
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
SD-Access Wireless Adoption 2
Migration for an Existing CUWN Deployment
DHCP ISE
Non Fabric
Cisco Prime
Area 1 DNAC
No seamless
roaming
Area 2 VXLAN C
(Data) Services Block
CAPWAP Cntrl B
SD Fabric
SDA WLC
Recommendations
Can use DNAC for both Fabric and non-Fabric Same RF Groups for CUWN WLC and SDA WLC
Dedicated WLC for SD-Access Wireless WLCs in different Mobility Group (no seamless
roaming between areas)
Same SSIDs on Fabric and non-Fabric
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
SD-Access Wireless Adoption 2
Consideration for Shared WLC for Fabric and non-Fabric
Shared controller for SDA and CUWN
ISE
• Shared WLC can manage Fabric and non-Fabric
APs but needs upgrade to 8.5
Cisco Prime
DNAC • New code = more risk for existing non-Fabric
buildings
Guest Anchor
Management:
• DNAC 1.2 can manage non-Fabric WLC in
EoIP brownfield scenarios
B CP
Area 1 • But not all wireless settings are available
Area 2
CAPWAP WLAN Design:
• Fabric is enabled per SSID
• To have same SSID name in both areas:
CAPWAP SD-Access 1. Need to define and apply AP Groups
Control Fabric 2. APs need to be re-booted
Shared WLC Traditional Campus
Guest and Policy:
• Can leverage existing Guest Anchor also for Fabric
area/building
• Can leverage ISE for both
Non-
Fabric No roaming
VXLAN Fabric
APs between APs
Fabric and
Internal non-Fabric Internal
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Key Takeaways
Key Takeaways
Software Defined Access Networking at the Speed of Software!
Automated
Network Fabric
Single Fabric for Wired & Wireless
with Workflow-based Automation
Insights
& Telemetry
Analytics and insights into
SDA-Extension user and application behavior
User Mobility
IoT Network Employee Network #CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Don’t Miss the SD-Access
Book…
It’s an e-book and you can download it from the link below
https://www.cisco.com/c/dam/en/us/products/se/2018/1/Collateral/software-define-access.pdf
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Cisco Enterprise Wireless Book
http://cs.co/wirelessbook
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
What to Do Next?
Technical Advisor y
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Q&A
SD-Access Resources
Would you like to known more?
cisco.com/go/sdaccess cisco.com/go/dnacenter
• SD-Access At-A-Glance
• DNA Center At-A-Glance
• SD-Access Design Guide
•
•
•
SD-Access FAQs
SD-Access Migration Guide
cisco.com/go/cvd •
DNA Center 'How To' Video Resources
DNA Center Data Sheet
• SD-Access Design Guide - Dec 2017
• SD-Access Solution Data Sheet • SD-Access Deploy Guide - Jan 2018
• SD-Access Solution White Paper
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
What to Do Next?
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Related Sessions
SD-Access Breakouts (Core R&S Track)
Cisco SD-Access - A Look Under the Hood [BRKCRS-2810] Cisco SD-Access - Policy Driven Manageability [BRKCRS-3811]
Shawn Wargo, Principal Engineer, Technical Marketing, Cisco Victor Moreno, Distinguished Engineer, Cisco
Monday, Jun 11, 01:30 p.m. - 03:30 p.m. Wednesday, Jun 13, 01:30 p.m. - 03:00 p.m.
Cisco SD-Access - Connecting to External Networks [BRKCRS-2811] Cisco SD-Access – Building the Routed Underlay [BRKCRS-2816]
Satish Kondalam, Technical Marketing Engineer, Cisco Rahul Kachalia, Sr. Technical Leader, Cisco
Monday, Jun 11, 04:00 p.m. - 06:00 p.m. Thursday, Jun 14, 10:30 a.m. - 12:00 p.m.
Cisco SD-Access – Integrating with Existing Network [BRKCRS-2812] Cisco SD-Access - Extending Segmentation and Policy into IoT
Kedar Karmarkar, Technical Leader, Cisco Systems Inc [BRKCRS-2817]
Tuesday, Jun 12, 04:00 p.m. - 06:00 p.m. Sanjay Hooda, Distinguished Engineer, Cisco
Thursday, Jun 14, 08:00 a.m. - 10:00 a.m. Thursday, Jun 14, 01:00 p.m. - 02:30 p.m.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Related Sessions
SD-Access Breakouts (Other Tracks)
How to setup an SD-Access fabric from scratch [BRKEWN-2021] Cisco SD-Access: Secure Segmentation Design [CCSCRS-2000]
Simone Arena, Principal Engineer, Technical Marketing, Cisco Ankush Arora, Solutions Architect, Cisco
Ramses Smeyers, Principal Engineer, Services, Cisco Subodh Gajare, Senior Solutions Architect, Cisco
Monday, Jun 11, 08:30 a.m. - 10:00 a.m. Thursday, Jun 14, 10:00 a.m. - 11:00 a.m.
Cisco SD-Access Wireless Integration [BRKEWN-2020] Cisco SD-Access - Integration with DC Architectures [BRKDCN-2489]
Simone Arena, Principal Engineer, Technical Marketing, Cisco Karthik Kumar Thatikonda, Technical Marketing Engineer, Cisco
Tuesday, Jun 12, 08:00 a.m. - 10:00 a.m. Thursday, Jun 14, 01:00 p.m. - 02:30 p.m.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Related Sessions
SD-Access Hands-On & WISP Labs
A Practical Look at DNA Center: Hands-On Lab [LTRNMS-2500] Cisco Software Defined Access (SD-Access) [LABCRS-2041]
Jim Galvez, Technical Solutions Architect, Cisco Mariusz Kazmierski, Technical Leader, Services, Cisco Systems
Saurav Prasad, Principal Engineer, Technical Marketing, Cisco
Lila Rousseaux, Technical Solutions Architect, Cisco Cisco SD-Access and ACI Integration - Hands-On Lab [LTRACI-2636]
Monday, Jun 11, 08:00 a.m. - 12:00 p.m. Kaushal Patel, Network Consulting Engineer, Cisco
Ali Haider, Network Consulting Engineer, Cisco
Cisco SD-Access- Hands-On Lab [LTRCRS-2810] Jaydeepsinh Parmar, Network Consulting Engineer, Cisco
Derek Huckaby, Technical Marketing Engineer, Cisco Wednesday, Jun 13, 08:00 a.m. - 12:00 p.m.
Larissa Overbey, Technical Marketing Engineer, Cisco
Wednesday, Jun 13, 01:00 p.m. - 05:00 p.m.
Thursday, Jun 14, 08:00 a.m. - 12:00 p.m.
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
DNA Software Subscription
ESSENTIALS ADVANTAGE
Available for Current Catalyst 3K, 4K, 6K and Next Generation Catalyst 9K Series
Cisco ONE Suite – Essentials Includes ISE Base
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Complete your online session evaluation
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
#CLUS BRKEWN-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Thank you
#CLUS
#CLUS