123 - Enterprise Campus

Wired Design Fundamentals

Back to Basics DC WAN ISP

Edge

Core

Shawn Wargo, Principal TME

@Shawn_Wargo Distribution

Access
MDF 1

BRKENS-1501
 1 What is a Campus Network?
2 1-2-3 or 4+ Tier Design
3 ECMP vs. StackWise
Agenda 4 MPLS vs. EVPN vs. SD-Access
5 Wireless & Security Notes
6 Summary & References
BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Campus Baseline

Campus Networks

DC ISP

What is “Campus”?
WAN

• Edge

• Place in Network (PIN) Core

• Multi-Layer Model Distribution

• Chassis Types
Access

Campus Cabling
MDF 1

• PIN Features

1 2 3 4 5 6

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
What is a “Campus”?
The basic Merriam-Webster definition of a Campus is:
A group of one or more buildings, and surrounding grounds,
where people and their belongings work together.
Common examples are Hospitals & Research Centers,
Schools & Universities and Corporations & Offices.
Using this - it’s clear a Campus Network is focused on:
• People (Users, Vendors, etc.)
• People's devices (PCs, Phones, Printers, etc.)
• Similar geographic area (LAN, WLAN or MAN, etc.)
• Access to other domains (WAN, ISP, DC & Cloud, etc.)

This includes many different network technology areas

(Wired, Wireless, Security, QoS, Management, etc.)

Campus is focused on User Access

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Campus = Geography
Buildings are spread out. Multiple floors per building

www.cisco.com/c/en/us/solutions/cisco-on-cisco/enterprise-networks.html

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Campus Networks
Building MDF/IDF & Wiring Closets

MDF = Main Distribution Framework (Core)

IDF = Intermediate Distribution Framework (Distro/Access)

www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/campus-wired-wireless.html

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Campus ≠ Data-Center
One or few large buildings nearby. Usually a single floor.

www.cisco.com/c/en/us/solutions/cisco-on-cisco/enterprise-networks.html

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Campus Networks - Real Life

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
 Campus PINs & Topology

BGP, MPLS
BGP, EVPN BGP, IGP

Core
CoreInterconnect
Interconnect
Core
Core++Edge
Edge

OSPF, EIGRP, ISIS Campus

CampusCore
Core

Collapsed
CollapsedCore
Core Campus
CampusDistribution
Distribution

STP STP

Campus
CampusAccess
Access

STP, REP STP, REP

Extended
ExtendedAccess
Access
IOT
IOT/ /FTTX
FTTX

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 Campus Multi-Layer Model
• Few MAN (High-Speed) or WAN (Low-Speed) Uplinks
• Internal & External Autonomous Systems
CORE +

• Medium - Large IPv4 / IPv6 Routing Tables

• Layer 3 Security, QoS & Flexible NetFlow
• Virtualization: SVL, MPLS/VPLS, EVPN, SDA, etc.
Catalyst 9600 Catalyst 9500 Catalyst 9400 • Few Medium to High-Speed LAN Downlinks
DISTRIBUTION

• Few Medium - High Speed LAN Uplinks

• Medium IPv4 / IPv6 Routing Tables
• Medium MAC Tables & ARP / ND Tables
• L2 & L3 Security, QoS & Flexible NetFlow
• Virtualization: SVL, STP / REP, VLAN, SDA, etc.
Catalyst 9600 Catalyst 9500 Catalyst 9400 • Many Small to Medium Speed LAN Downlinks

• Few Small - Medium Speed LAN Uplinks

Small – Medium MAC Tables
ACCESS

•
• Power Over Ethernet, Integrated Wireless, etc.
• L2 Security, QoS & Flexible NetFlow
• Virtualization: Stack, VLAN, STP / REP, SDA etc.
Catalyst 9400 Catalyst 9300 Catalyst 9200 • Many Low - Medium Speed LAN Downlinks

Always 3 “Logical” Layers If you ‘collapse’ layers -

your device needs
• Each layer serves a specific set of functions to support
all ‘logical’ functions
• Each layer has a specific set of requirements
BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Modular vs. Fixed Platforms
Catalyst
9400

Modular Fixed
PROs CONs PROs CONs
• More Flexible • More Complex • Less Complex • Less Flexible
• Longer Life-Cycle • BW limit by Chassis • Swap Chassis for BW • Shorter Life-Cycle
• Higher Port Density • Slow(er) Dev & Test • Faster Dev & Test • Lower Port Density
• More Power/Cooling • Lower MTBF • Higher MTBF • Less Power/Cooling
• Redundant Processors • Higher COGs • Lower COGs • Single Processor

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
 Copper vs. Fiber Media www.cisco.com/c/en/us/products/interfaces-modules/transceiver-modules/

Category 5, 6 & 7 OM3, OM4 & OM5

Single-Mode (SMF) Wave-Division
Unshielded (UTP) Shielded (STP) Multi-Mode (MMF) Multiplex (WDM)

RJ45 (Access to Endpoints) SFP (Access & Distribution) QSFP (Core & Edge)

Cat6A Cat5E SFP-LC mSFP MPO12 MPO24

(Offset Wires) (Flush Wires) LC Duplex Mini LC Duplex 12 Fibers 24 Fibers

Short Distance – Cheap

Category Frequency Distance Data Rate Shielding
5E 100-350 MHz 100m 1000 Mbps UTP or STP
1G – 100m 1 Gbps
6 250-550 MHz
10G - 50m 10 Gbps
UTP or STP

6A 500-550 MHz 100m 10 Gbps UTP or STP

7 600 MHz 100m 10 Gbps Shielded only

NEW NEW NEW

10M 100M 1G 2.5G 5G 10G 100M 1G 10G 25G 40G 50G 100G 200G 400G

www.cisco.com/c/en/us/products/collateral/switches/catalyst-9000/nb-06-cat9000-panduit-cables-wp-cte-en.html

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 Campus Networks
L2/L3 Unicast Technologies

IPv4 Unicast IPv6 Unicast

Data
Internet Branch
Center

• MP-BGP, VPNv4 • MP-BGP, VPNv6

• Internet (v4), NAT, PBR • Internet2 (v6), NAT64, PBR
• MPLS-VPN, VRF-Lite
Core • MPLS-VPN, VRF-Lite
Core
• IPv4 SSO, NSF/NSR, GIR • IPv6 SSO, NSF/NSR, GIR

• EIGRP, OSPFv2, ISIS, RIP • EIGRPv6, OSPFv3, ISISv6, RIPng

• SVI, HSRP/VRRP L3 • SVI, HSRPv6/VRRPv6
L3
• ARP, DHCP Relay • NDP, DHCPv6 Relay
• IPDT/SISF, DAI
Distribution • SISF (v4/v6), RA Guard
Distribution
• BFD, Echo L2 L2 • BFDv6, Echo
• IPv4 SSO, NSF/NSR, GIR • IPv6 SSO, NSF/NSR, GIR

• PVST, MST, REP/RENN • PVST, MST, REP/RENN

• 802.1Q, DTP • 802.1Q, DTP
• VLANs, VTP • VLANs, VTP
• DHCP Snooping
Access • DHCPv6 Snooping
Access
• MAC Leaning • MAC Leaning
• L2 SSO • L2 SSO

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 Campus Networks
L2/L3 Multicast Technologies

IPv4 Multicast IPv6 Multicast

Data
Internet Branch
Center
• PIM-SM, SSM and Bidir
• PIM-SM and SSM
• AutoRP, BSR RP, MSDP
• IPv6 BSR RP
• MVPN, Multicast VRF-Lite Core • IPv6 embedded RP
Core
• Multicast load splitting
• IPv6 multicast HA
• IPv4 multicast HA

• Dual-stack IPv4 / IPv6 • Dual-stack IPv4 / IPv6

• PIM-SM, SSM and Bidir L3 L3 • PIM-SM and SSM
• IGMPv2,v3 snooping • MLDv1,v2 snooping
• Stub multicast routing Distribution • HW register and RPF Distribution
• PIM BFD L2 L2 • HSRP-aware PIM
• IPv4 multicast HA • IPv6 multicast HA

• IGMP v1,v2,v3 snooping • MLD v1,v2 snooping

• IPv4 multicast QoS & ACL Access • IPv6 multicast QoS & ACL Access
• IGMP v1,v2 filtering • MLD v1,v2 filtering

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cisco Catalyst 9000 Switching Portfolio 2023
One Family from Access to Core – Common Hardware & Software

C9500X-60L4D

C9600X-LC-32CD

Catalyst
Catalyst 9600X
Catalyst Catalyst
9300X
9400X
Catalyst 9500X

Catalyst
Catalyst
9000 Catalyst
Catalyst
9600 Series
Catalyst 9400 Series
9200 Series
9300 Series
Series 9500 Series

Catalyst
9300LM
Catalyst
9200CX Cisco Cisco
ASIC IOS® XE

Catalyst Catalyst Catalyst Catalyst Catalyst Catalyst

2960-X/XR 3650/3850 4500-E Series 3850-XS/4500-X 6840-X/6880-X 6500-E/6807-XL

Access Switching Core Switching

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Campus Baseline

Core & Edge

• Campus Core (Baseline)

• Campus Core Interconnect
• Campus Core + WAN Edge

1 2 3 4 5 6

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Campus Core (Baseline)

The Core PIN (Tier 3) focuses on connecting

DC ISP
multiple Distribution layers to an Interconnect WAN

(if applicable) and/or other network domains

BGP
• Other names: MDF, BDF
• Common in Medium & Large Campus Core

Main goal is a simple, high-bandwidth, L3

transport between other network layers
OSPF,
Tends to be L3 routed (north & south) Distribution IS-IS or
EIGRP L3
• North: BGP or IGP (ABR), PIM + MSDP
• South: OSPF, IS-IS or EIGRP, PIM PVST L2
or
MST
Tends to use minimal L3 features Access
• Limited ACLs (e.g. inter-area route-maps, remote access)
MDF 1
• Limited QoS (e.g. many-to-one WRED, aggregate policers)

• Limited NetFlow (e.g. inter-area, aggregate flows)

Tends to require high L3 forwarding scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Campus Core Interconnect
10/25/40G
The Interconnect PIN (Tier 4) is an extension of the 100/400G

Core, used to connect multiple Core layers (areas) ISP WAN

and/or other network domains.
• Other names: Backbone, Super Core, MAN, DCI DC 1 BGP BGP DC 2
• Common in Large & Very-Large Campus

• Main goal is to distribute the bandwidth and

density requirements of multiple Core layers BGP BGP

• Similar attributes & requirements as Core PIN

Interconnect
• Tends to be L3 routed (north & south)
• North: BGP or IGP (ABR/ASBR), PIM + MSDP
• South: OSPF, IS-IS or EIGRP, PIM OSPF,
IS-IS or
• Tends to use minimal L3 features EIGRP
Core
• Limited ACLs (e.g. inter-area route-maps, remote access)

• Limited QoS (e.g. many-to-one WRED, aggregate policers)

L3
Distro
• Limited NetFlow (e.g. inter-area, aggregate flows)

Access L2

• Tends to require higher L3 scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Campus Core + (SP/WAN) Edge
The Core-Edge PIN (Tier 4) focuses on connecting
multiple Campus areas to SP/WAN (remote domains) ISP WAN
and/or to the Internet.
MP-BGP + MP-BGP +
• Other names: Edge Device, Internet Edge DC 1 L2/L3VPN L2/L3VPN DC 2
• Common in Medium to Very-Large Campus

Main purpose is to collapse Core & Edge layers

Tends to be L3 routed (north & south)
MP-BGP + MP-BGP +
• North: MP-BGP + Inter-AS, NAT/PAT, PIM + MSDP L2/L3VPN L2/L3VPN
• South: BGP or IGP (ABR/ASBR), PIM + MSDP Edge

Tends to use Virtualization & Tunnels

• VRF-Lite, MPLS/VPLS, SR, MVPN
OSPFv3,
• GRE/MGRE, IPSec, DMVPN
EIGRP-VRF
• QinQ, L2oMGRE, OTV, EVPN
Core
Tends to use multiple L3/VRF features
• Edge Security ACLs (e.g. RACL, CBAC, ZBFW)
Distro L3
• Hierarchical QoS (e.g. Class-based Queuing, Shaping)

• Policy Based Routing (e.g. WAAS & WCCP) Access L2

• WAN NetFlow (e.g. L3/VRF FNF, WAN ETA)

Tends to require highest L3/VRF & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Campus Baseline

Distribution

• Campus Distribution (Baseline)

• Collapsed Core + Distro
• Campus Distro + Ext. Access

1 2 3 4 5 6

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Campus Distribution (Baseline)
The Distribution PIN (Tier 2) focuses on connecting
multiple Access layers and the Core layer. DC WAN ISP

• Other names: Collapsed Core, Aggregation, IDF

BGP
• Common in Small to Large Campus

Main purpose is to “distribute” connectivity (fan-out) Core

from the Core/WAN to the Access
• Reduces need for high port-density in Core layer
• Also applicable to L3 Routed Access
OSPF,
Distribution IS-IS or
Tends to be both L3 routed (north) EIGRP L3
and L2 switched (south)
PVST L2
• North: SVI, HSRP/VRRP, ARP/ND, IGP, PIM or
• South: VLAN, 802.1Q, STP, MAC, IGMP MST
Access
Tends to use multiple L2 & L3 features MDF 1
• Access Security (e.g. IPDT/SISF, VACLs, PACLs, etc)

• Access QoS (e.g. NBAR, Classification & Marking)

• Access NetFlow (e.g. AVC, FNF, EPA & ETA)

Tends to require med-high L2/L3 & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Campus Collapsed Core
The Collapsed Core (Tier 2) focuses on connecting
multiple Access layers and the WAN/Edge layer. DC WAN ISP

• Other names : Distribution, BDF

BGP
• Common in Small Campus or Medium Branch

Main purpose is to collapse Core & Distribution layers Edge

• Mostly for small(er) sites, with low(er) port density
• Similar attributes & requirements as Core + Distribution
• Also applicable to L3 Routed Access
OSPF,
Coll. Core IS-IS or
Tends to be both L3 routed (north) EIGRP L3
and L2 switched (south)
PVST L2
• North: SVI, HSRP/VRRP, ARP/ND, IGP, PIM or
MST
• South: VLAN, 802.1Q, STP, MAC, IGMP
Access
Tends to use multiple L2 & L3 features MDF 1
• Access Security (e.g. IPDT/SISF, VACLs, PACLs, etc)

• Access QoS (e.g. NBAR, Classification & Marking)

• Access NetFlow (e.g. AVC, FNF, EPA & ETA)

Tends to require high L2/L3 & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Campus Baseline

Access

• Campus Access (Baseline)

• Routed Access
• Extended Access (IOT & FTTX)

1 2 3 4 5 6

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Campus Access (Baseline)

The Access PIN (Tier 1) focuses on connecting

DC ISP
Users & Devices, and an Extended Access WAN

(if applicable) to the Distribution layer

BGP
• Other names: IDF, Wiring Closet
• Common in all Campus & Branch networks Core

Main purpose is to connect users to network

Tends to be L2 switched (north & south)
OSPF,
• North: VLAN, 802.1Q, STP, MAC, IGMP Snooping Distribution IS-IS or
EIGRP L3
• South: AAA, STP, Portfast, Storm-Control
PVST L2
Tends to use multiple L2 features & services or
MST
• Access Security (e.g. 802.1x, VACLs, PACLs, etc)
Access
• Access QoS (e.g. L2 CoS, Classification & Marking)
MDF 1
• Access NetFlow (e.g. AVC, FNF, EPA & ETA)

Tends to require low-med L2 & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Extended Access (IOT / FTTX)

The Extended Access PIN (Tier 1) is an

DC ISP
extension of the Access, to connect multiple WAN

Access layers (areas) to the Distribution layer BGP

• Other names: High-End Access, IOT, FTTX
• Common in Very-Large Campus or Large Branch Core

Main goal is to extend the size and scale

of the Access layer and connect more hosts
OSPF,
Tends to be L2 switched (north & south) Distribution IS-IS or
EIGRP L3
• North: VLAN, 802.1Q, STP/REP, MAC, IGMP Snooping
• South: AAA, STP/REP, Portfast, Storm-Control PVST L2
or
MST
Tends to use multiple L2 features & services Access
• Access Security (e.g. 802.1x, VACLs, PACLs, etc)
MDF 1
• Access QoS (e.g. L2 CoS, Classification & Marking)

• Access NetFlow (e.g. AVC, FNF, EPA & ETA)

IOT
Tends to require med-high L2 & feature scale REP REP

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Campus Baseline

Campus Architecture

DC WAN ISP

Edge

Core

• Equal Cost Multi-Path Distribution

• Virtual Switches (StackWise)

Access
MDF 1

1 2 3 4 5 6

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Campus Architectures
Control-Plane & Data-Plane Redundancy

1 2 3
ECMP (L2/L3 Paths) EtherChannel (L2/L3 LAG) StackWise (L2/L3 MEC)

• Complex Topology • Complex Topology • Simple Topology

• More Nodes, Less Cables • Same Nodes, More Cables (2-8) • Same Cables, Less Nodes
• More Neighbors (+ Tuning) • Same Neighbors (+ Tuning) • Less Neighbors (No Tuning)
• Protocol Load-Balancing (ECMP) • EtherChannel Load-Balancing • Multi-chassis EtherChannel (MEC)
• Node-level Redundancy • Node & Link-level Redundancy • Layer-level Redundancy

L1 : Single Connections L1 : Multiple Connections L1 : Multiple Connections

L2: STP, MST, REP + ECMP (Port Cost) L2: STP, MST, REP + ECMP (Portchannel Cost) L2: L2 MEC (No STP or REP)
L3: FHRP, IGP, BGP + ECMP(Port Cost) L3: FHRP, IGP, BGP + ECMP (Portchannel Cost) L3: IGP, BGP + L3 MEC (No FHRP)
More Neighbors = Requires Protocol Tuning More Neighbors = Requires Protocol Tuning Fewer Neighbors = No Protocol Tuning

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
StackWise Virtual Core/Distro
The StackWise Virtual (SVL) Core PIN focuses on
combining Core and/or Distribution into a single virtual DC WAN ISP

switch to connect to outside areas.

• Typically, the same layer as Distribution or Core (Tier 2-3)
BGP
• The same ‘physical’ topology as a multi-layer network
Core
Main goal is to simplify and expand the Distribution
and/or Core layer OSPF,
IS-IS or
Same L2/L3 protocols & features as Distro/Core EIGRP

• North: SVI, ARP/ND, IGP/BGP, PIM L3 MEC

Distribution
L3
• South: VLAN, 802.1Q, MAC, IGMP (No STP)
L2
Leverages Stateful Switchover (SSO)
• Active/Standby Control-Plane (synchronized)
Access L2 MEC
• Works with NSF/NSR for L3 protocols

Leverages Multi-chassis EtherChannel (MEC)

• Active/Active Data-Plane (both switches forwarding)
• L2 & L3 Portchannel (neighbor sees single neighbor)

Tends to require med-high L2, L3 & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
StackWise Access
The StackWise Access PIN focuses on combining
multiple Access switches into a single virtual switch DC WAN ISP

to increase access-layer port density.

• Typically, the same layer as Access (Tier 1)
BGP
• The same ‘physical’ topology as a multi-layer network
Core
Main goal is to expand port density of Access layer
OSPF,
Same L2 protocols & features as Access IS-IS or
EIGRP
• North: VLAN, 802.1Q, STP, MAC, IGMP Snooping
L3 MEC
• South: AAA, STP, Portfast, Storm-Control Distribution
L3

Leverages Stateful Switchover (SSO) L2

• Active/Standby Control-Plane (synchronized)
• Works with NSF/NSR for L3 protocols
Access L2 MEC

Leverages Multi-chassis EtherChannel (MEC) MDF 1 MDF 1

• Active/Active Data-Plane (both switches forwarding)

• L2 Portchannel (neighbor sees single neighbor)

Tends to require med-high L2 + feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Campus Baseline

Campus Solutions

DC WAN ISP

Edge

Core

• MPLS/VPLS (L2/L3VPN)
BGP-EVPN (L2/L3VNI)
Distribution

• SD-Access (L2/L3VNI + SGT) Access

MDF 1

1 2 3 4 5 6

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
 Campus Solutions & Designs
Providing additional services (beyond basic PINs)

1 2 3
MPLS (L2/L3VPN) EVPN (L2/L3VNI) SDA (L2/L3VNI + SGT)

• L3 Underlay + L2/L3 VPN Overlay • L3 Underlay + L2/L3 VNI Overlay • L3 Underlay + L2/L3 VNI Overlay
• Virtual Private Networks • Virtual Network Instances • VNIs + Scalable Group Tagging
• L3 VRF-based Segmentation • L2/L3 VNI-based Segments • L2/L3 VNI + SGT Segments
• WAN/Edge + VPN Services • Common WAN/LAN Services • LAN Services + Group-Based Policy

MPLS/VPLS, LDP, SR, MP-BGP, PIC MP-BGP/EVPN, VXLAN, VRF-Lite LISP, VXLAN, MP-BGP, VRF-Lite
MVPN, LSM, Extranet, MSR L2 TRM, L3 TRM, L2 BUM LISP HER, Native, L2 BUM
SSO, NSF/NSR, ECMP, GIR SSO, NSF/NSR, ECMP, GIR SSO, NSF/NSR, ECMP, GIR
VPN-FNF, Uniform/Pipe QoS, PBR, IPACL Fabric-FNF, Uniform QoS, IPACL/OGACL Fabric-FNF, App QoS, SGACL

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
EVPN Border & Spine
The EVPN Border & Spine PIN focuses on connecting
an EVPN Fabric and/or other network domains.
• Typically, the same layer as Core or Edge (Tier 3-4) DC WAN ISP

Main goal is to connect EVPN fabric to other networks

BGP
Uses a L3 Underlay + L3 Hand-off B|S B|S
• North (outside): L3 MP-BGP + Inter-AS, PIM + MSDP Core
• South (inside): L3 IGP, PIM + MSDP

Uses a Virtualized L2/L3 Overlay

• Control-Plane: BGP-EVPN (RR), TRM
• Data-Plane: VXLAN Overlay:
Distribution
• Policy-Plane: L2/L3 VNID BGP-EVPN +
VXLAN
Tends to use Overlay-aware Features Underlay:
• IP/OG ACLs (e.g. destined Outside) IGP
• Uniform QoS (e.g. copy Inner, queue Outer)
Access
• Inter-VRF Routing (e.g. VRF-Lite, Leaking)
L L L L L L
• Fabric NetFlow (e.g. VRF/VNID in FNF)

May require multiple encapsulation(s)

Tends to require high L2/L3 & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
EVPN Leaf
The EVPN Leaf PIN focuses on connecting Wired
endpoints to an EVPN Fabric domain.
• Typically, the same layer as Access or Extended (Tier 1) DC WAN ISP

Main goal is to connect Endpoints to EVPN network

BGP
Uses a L3 Underlay + L2 Hand-off B|S B|S
• North (inside): L3 IGP, PIM + MSDP Core
• South (outside): L2 VLAN (L3 SVI), STP, IGMP

Uses a Virtualized L2/L3 Overlay

• Control-Plane: BGP-EVPN, TRM
• Data-Plane: VXLAN Distribution
Overlay:
BGP-EVPN +
• Policy-Plane: L2/L3 VNI
VXLAN

Tends to use Overlay-aware features Underlay:

IGP
• IP/OG ACLs (e.g. destined outside)
• Uniform QoS (e.g. copy inner, queue outer) Access
• Inter-VRF Routing (e.g. VRF Leaking) L L L L L L
• Fabric NetFlow (e.g. FNF + VNID)

Tends to require med-high L2/L3 & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
SD-Access Border & CP
The SDA Border / CP PIN focuses on connecting an
SDA Fabric and/or other network domains.
• Typically, the same layer as Core or Core/Edge (Tier 3-4) DC WAN ISP

Main goal is to connect SDA fabric to other networks

MP-BGP
Uses a L3 Underlay + L3 Hand-off B|C B|C
• North (outside): L3 MP-BGP + Inter-AS, PIM + MSDP Core
• South (inside): L3 IGP, PIM + MSDP

Uses a Virtualized L2/L3 Overlay

• Control-Plane: LISP (XTR, MS/MR), PIM
• Data-Plane: VXLAN-GPO Overlay:
Distribution LISP +
• Policy-Plane: L2/L3 VNI + SGT
VXLAN-GPO

Tends to use Overlay-aware features Underlay:

• Security Group ACLs (e.g. destined outside) IGP

• Uniform Pipe QoS (e.g. copy inner, queue outer)

Access
• Inter-VRF Routing (e.g. VN Extranet, or VRF-Lite) E E EMDF 1 E E E
• Fabric NetFlow (e.g. VRF/VNID + SGT FNF, NaaS/ETA)

May require multiple encapsulation(s)

Tends to require higher L3 & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
SD-Access Edge
The SDA Edge PIN focuses on connecting
Wired/Wireless endpoints to an SDA Fabric domain.
• Typically, the same layer as Access or Extended (Tier 1) DC WAN ISP

Main goal is to connect Endpoints to SDA network

BGP
Uses a L3 Underlay + L2 Hand-off B|C B|C
• North (inside): L3 IGP, PIM + MSDP Core
• South (outside): L2 VLAN (L3 SVI), STP, IGMP

Uses a Virtualized L2/L3 Overlay

• Control-Plane: LISP (XTR), PIM
• Data-Plane: VXLAN-GPO Overlay:
Distribution
LISP +
• Policy-Plane: VN + SGT
VXLAN-GPO

Tends to use Overlay-aware features Underlay:

IGP
• Security Group ACLs (e.g. destined outside)
• Uniform Pipe QoS (e.g. copy inner, queue outer) Access
• Inter-VRF Routing (e.g. VN Extranet) E E EMDF 1 E E E
• Fabric NetFlow (e.g. FNF, NaaS)

Tends to require higher L3 & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Campus Baseline

Wireless & Security

DC WAN ISP

Edge

Core

• Central Wireless Distribution

• Firewalls & ACLs

Access
MDF 1

1 2 3 4 5 6

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Wireless LAN
The Central Wireless PIN focuses on connecting
Wireless APs centrally to one or multiple WLCs.
• WLC is typically connected to Core, Edge or DC (Tier 3+)
Central Wireless
• APs are typically connected to Access (Tier 1) C9800-40/80 VLAN C9500X/9600X SVI
WLC Clusters VLAN SVI
Main goal is to connect Wireless Endpoints (via APs) VLAN Core Switches SVI
to a Wireless LAN (WLAN) - centrally in the network

Uses a L2/L3 Underlay + L2 Hand-off

• North (to WLC): L2 VLAN + 802.1Q, L3 SVI, IGP
• South (to AP): L2 VLAN + 802.1Q, STP, IGMP CAPWAP

Uses a Tunneled L2 Overlay VLAN VLAN VLAN

• Control-Plane: CAPWAP, DTLS, LWAPP

• Data-Plane: CAPWAP, DTLS

Tends to require L2 (WLAN) features

• L2 ACLs (e.g. VACL, MAC ACL)
C9130 WIFI6/6E C9300X/9400X
• L2 QoS (e.g. VLAN QoS)
Access Points Access Switches
• L2 NetFlow (e.g. FNF, AVC, EPA & ETA)

Tends to require higher L2/L3 + feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Firewalls & ACLs
The Firewall (DMZ) PIN focuses on controlling
access into or out of different network areas.
• Typically connected to Core, Edge or DC (Tier 3+)
Firewalls (DMZ)
• Complex designs may use Distro or Access (Tier 1-2)

Main goal is to prevent unauthorized access to different

network domains (segments).
• Evolved from “Edge” Access-Control Lists (ACLs)
• Can be either L2, L3 or VRF-aware
• Tends to focus on L4-L7 flows (with or w/o DPI)

Uses a L2 or L3/VRF + ACLs

• North (outside): L2 802.1Q, L3 (SVI, Sub-Ints), IGP, BGP
• South (inside): L2 802.1Q, L3 (SVI, Sub-Ints), IGP, BGP

Tends to use L2 & L3/VRF + DPI & ACL features

• L4/App ACLs (e.g. VACL, MAC ACL)
• L4/App QoS (e.g. VLAN QoS)
• L4/App NetFlow (e.g. FNF, AVC, EPA & ETA)
De-Militarized Zone (DMZ)

Tends to require med-high L2/L3 & feature scale

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Campus Baseline

Conclusion

DC WAN ISP

Edge

Core

• Know the Campus PINs

Other References
Distribution

• Keep Learning!!! ☺ Access

MDF 1

1 2 3 4 5 6

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 Campus PINs & Topology

BGP, MPLS
BGP, EVPN BGP, IGP

Core
CoreInterconnect
Interconnect
Core
Core++Edge
Edge

OSPF, EIGRP, ISIS Campus

CampusCore
Core

Collapsed
CollapsedCore
Core Campus
CampusDistribution
Distribution

STP STP

Campus
CampusAccess
Access

STP, REP STP, REP

Extended
ExtendedAccess
Access
IOT
IOT/ /FTTX
FTTX

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Keep Learning! cisco.com/go/cvd
Cisco Validated Design (CVD) cs.co/en-cvds

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Webex App

Questions?
Use the Webex App to chat with the speaker
after the session

How
1 Find this session in the Cisco Events Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKENS-1501

by the speaker until February 23, 2024.

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Fill out your session surveys!

Participants who fill out a minimum of

four session surveys and the overall
event survey will get a Cisco Live t-shirt
(from 11:30 on Thursday, while supplies last)!

All surveys can be taken in the Cisco Events Mobile App

or by logging into the Session Catalog and clicking the
‘Participant Resource Center’ link at
https://www.ciscolive.com/emea/learn/session-catalog.html.

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting

• Attend the interactive education

with DevNet, Capture the Flag,
and Walk-in Labs
Continue
your education • Visit the On-Demand Library
for more sessions at
ciscolive.com/on-demand.
Sessions from this event will be
available from February 23.

BRKENS-1501 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Thank you