Connecting Cisco

SD-Access LISP to
the World
Use Cases and Segmentation

Devi Bellamkonda, Technical Marketing Engineer

CCIE#44453 (DC, SP)
BRKENS-2811

#CiscoLive
Cisco Webex App
https://ciscolive.ciscoevents.com/
ciscolivebot/#BRKENS-2811

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space

4 Enter messages/questions in the Webex space

Webex spaces will be moderated Enter your personal notes here

by the speaker until June 7, 2024.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
In this Session ….

✓ Expect to learn about new capabilities through use cases.

✘ We will not be covering the basics of Cisco SD-Access and its various
components.

✘ The scenarios discussed may not exactly match your challenges, but they can
give you insights on how to approach them.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Explore Ideas with ..
• Cisco Partners
• Cisco CX services
• Cisco SE or AM
• Cisco Communities
• Cisco Live meet the expert
• Cisco Live On-Demand Library

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
For Your Reference

The PDF contains lot more information “For your Reference”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 Cisco Live US SD-Access/ISE Learning Map

Sunday—2nd Monday—3rd Tuesday—4th Wednesday—5th Thursday—6th

TECENS-2820 9AM BRKENS-2810 8:30AM
BRKSEC-2100 10:30AM BRKENS-2502 10:30AM
BRKENS-2833 10:30AM BRKENS-2827 11:00AM
Cisco Software-Defined Cisco Software-Defined Cisco SD-Access LISP
ISE Your Meraki Network LISP: Optimized Control Cisco SD-Access Migration
Access LISP: Architecture Access LISP Solution VXLAN Fabric Best
with Group Based Adaptive Plane for Software-Defined Tools and Strategies
Overview Fundamentals Practices: Design and
Policy Access
Deployment
BRKENS-2800 9:30AM BRKENS-2819 2:30PM
Cisco SD-Access Zero- Cisco SD-Access and
Touch Provisioning Using Multi-Domain
BRKENS-1802 2:30PM BRKENS-1801 4PM
Segmentation
LAN Automation
SD-Access Success Stories: SD-Access Success CIUG-1003 2:30PM
Stories: Concept to Reality Zero Trust with Software-
BRKENS-2811 1PM Concept to Reality by
by Stanford Health and
Connecting Cisco SD-Access Petrobras and Ford Motor Defined Access Roadmap
Yale University Update
LISP to the World: Use Cases
and Segmentation 4:00PM
BRKSEC-2091 3PM BRKENS-2821
LTRENS-2419 1PM Cisco ISE Performance, Cisco SD-Access LISP
Scalability and Best VXLAN Fabric for
SD-Access LISP Pub/Sub Practices Manufacturing Verticals
Wired Lab

BRKENS-2816 3PM BRKENS-1852 4PM

Cisco SD-Access Transit: TrustSec Refresh
Advanced Design Principles Reinforced with Latest
Segmentation Innovations

Catalyst Center
ISE
BU-led sessions
Cisco SD-Access LISP Cisco ISE

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access LISP Industry Leading Campus
Architecture

Deployments Momentum Key use case Usage

4050+ 40% 70% 24K+

YoY growth in customers Wireless Sites

+ 66% 1.8M+
API (YoY) Devices

Top verticals: Government, Finance, Adopted by 31% of U.S. Fortune 100

Professional services, and Manufacturing Companies

EMEA: 52% Americas 29% APJC 19%

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
 SD-Access LISP Customer Success
Healthcare Education + Energy Manufacturing
SCALE

5300 devices 6200 devices 6500 devices 5300 devices 4500 devices 16k devices
15K+endpoints 10K+endpoints 66K+endpoints 57K+endpoints 10K+endpoints 98K+endpoints
REQUIREMENTS

Segmentation at scale
Secure, Highly available network
Zero-Trust Network Access Automated operations
Hi performance scalable WI-FI
HIPAA Compliance APIs for Automation & Tool Integration

Segmentation at Scale | Unified Wired/Wireless Policy | IT/OT Integration Experience

BRKENS 1801, BRKENS 1802, CIUG-1003 Speaking at this Cisco Live

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Customer
Challenges and
Requirements

BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 SD-Access Migration
Underlay for the fabric should be automated
Concurrent Underlay automation for sites
Some locations must remain Layer 2 Switched Access
Flexibility to have no routing protocols below the distribution layer

• SD-Access Migration
• Underlay for the fabric should be automated
• Concurrent Underlay automation for sites
• Some locations must remain Layer 2 Switched Access

Customer
• Flexibility to have no routing protocols below the distribution layer

Challenges and
Critical Services
Simplified Critical Services such as Shared Services and Internet with
minimum configuration

Requirements Seamless Internet Connectivity

Consistent Policy across Cisco SD-Access sites.
No loss in Internet Connectivity(Active/Backup Internet).

Datacenter
Consistent Policy across Domains in an acquisition.

BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
 SD-Access Migration
Underlay for the fabric should be automated
Concurrent Underlay automation for sites
Some locations must remain Layer 2 Switched Access
Flexibility to have no routing protocols below the distribution layer

SD-Access Migration
Underlay for the fabric should be automated
Concurrent Underlay automation for sites
Some locations must remain Layer 2 Switched Access

Customer
Flexibility to have no routing protocols below the distribution layer

Challenges and
• Critical Services
• Simplified Critical Services such as Shared Services and Internet with
minimum configuration

Requirements Seamless Internet Connectivity

Consistent Policy across Cisco SD-Access sites.
No loss in Internet Connectivity(Active/Backup Internet).

Datacenter
Consistent Policy across Domains in an acquisition.

BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
 SD-Access Migration
Underlay for the fabric should be automated
Concurrent Underlay automation for sites
Some locations must remain Layer 2 Switched Access
Flexibility to have no routing protocols below the distribution layer

SD-Access Migration
Underlay for the fabric should be automated
Concurrent Underlay automation for sites
Some locations must remain Layer 2 Switched Access

Customer
Flexibility to have no routing protocols below the distribution layer

Challenges and
Critical Services
Simplified Critical Services such as Shared Services and Internet with
minimum configuration

Requirements • Seamless Internet Connectivity

• Consistent Policy across Cisco SD-Access sites.
• No loss in Internet Connectivity(Active/Backup Internet).

Datacenter
Consistent Policy across Domains in an acquisition.

BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 SD-Access Migration
Underlay for the fabric should be automated
Concurrent Underlay automation for sites
Some locations must remain Layer 2 Switched Access
Flexibility to have no routing protocols below the distribution layer

SD-Access Migration
Underlay for the fabric should be automated
Concurrent Underlay automation for sites
Some locations must remain Layer 2 Switched Access

Customer
Flexibility to have no routing protocols below the distribution layer

Challenges and
Critical Services
Simplified Critical Services such as Shared Services and Internet with
minimum configuration

Requirements Seamless Internet Connectivity

Consistent Policy across Cisco SD-Access sites.
No loss in Internet Connectivity(Active/Backup Internet).

• Datacenter
• Consistent Policy across Domains in an acquisition.

BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
 SD-Access Migration
Underlay for the fabric should be automated
Concurrent Underlay automation for sites
Some locations must remain Layer 2 Switched Access
Flexibility to have no routing protocols below the distribution layer

• SD-Access Migration
• Underlay for the fabric should be automated
• Concurrent Underlay automation for sites
• Some locations must remain Layer 2 Switched Access

Customer
• Flexibility to have no routing protocols below the distribution layer

Challenges and
• Critical Services
• Simplified Critical Services such as Shared Services and Internet with
minimum configuration

Requirements • Seamless Internet Connectivity

• Consistent Policy across Cisco SD-Access sites.
• No loss in Internet Connectivity(Active/Backup Internet).

• Datacenter
• Consistent Policy across Domains in an acquisition.

BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
#CiscoLive BRKENS-2811 ©©
2024
2024Cisco
Ciscoand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved. Cisco Public 16
 Migration Site 1 Migration Site 2
Cisco
Catalyst
ISE Center DHCP, DNS, AD
(Services)

Migration Site 3 Migration Site 4

* WLCs for each site not shown

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 Data Center Fabric Underlay Layer 2 Access

Migration Site 1 Migration Site 2

Cisco
Catalyst
ISE Center DHCP, DNS, AD
(Services)

Critical Services Seamless Internet

Migration Site 3 Migration Site 4

* WLCs for each site not shown

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
LAN Automation
Enhancements
 Migration Site 1 Migration Site 2 Migration Site 3 Migration Site 4

Layer 3 Link

Layer 2 Link

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
 Fabric Network Infrastructure
Underlay Infrastructure: LAN Automation
Migration Site 1
• Zero-Touch Image Management with device onboarding.
• Automated underlay buildout with validated best practice
configuration.
• L3 routed access network with IS-IS routing protocol.
• Higher MTU to accommodate VXLAN encapsulation
• (optional) enable Multicast option to support Broadcast,
Unknown-Unicast and Link-local Multicast (BUM).

Automated underlay
Layer 3 Switch

Turnkey solution to dynamically discover, onboard and

provision switches to simplify network operations.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Fabric Network Infrastructure
Underlay Infrastructure: LAN Automation Procedure

• Define Network Settings

▪ Network - Network Hierarchy
▪ Device Credentials – CLI, SNMP, HTTP(s)Credentials Datacenter
▪ IP Address Pools – IP Pool to build underlay infrastructure
Primary Peer
Device Device
• Provision network devices Select
▪ Select Seed devices – Primary/Peer Device and Interfaces Interfaces
▪ Start LAN Automation – Discover network devices, image
management and assigned to site. IS-IS
▪ Stop LAN Automation – configure routed-access VLAN 1

Cisco Catalyst Center User Guide, Release 2.3.7

Cisco Catalyst Center SD-Access LAN Automation Deployment Guide

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 Migration Site 1

LAN Automation Seed LAN Automation Seed

LAN Automation Discovered LAN Automation Discovered

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Fabric Network Infrastructure
Underlay Infrastructure: After LAN Automation

Migration Site 1

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Fabric Network Infrastructure
Underlay Infrastructure: Site after Migration

SD-Access Network
(Migration Site 1)

Colocated Border Node Colocated Border Node

Control Plane Node Control Plane Node

Edge Node Edge Node

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Fabric Network Infrastructure
Underlay Infrastructure: Site after Migration

SD-Access Network
(Migration Site 1)

Colocated Border Node Colocated Border Node

Control Plane Node Control Plane Node

Intermediate Node Intermediate Node

Edge Node Edge Node

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Fabric Network Infrastructure
Underlay Infrastructure: LAN Automation

LAN Automation has a new home

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Fabric Network Infrastructure
Underlay Infrastructure: LAN Automation

New LAN Automation Landing page

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Fabric Network Infrastructure For Your
Reference
Underlay Infrastructure: LAN Automation

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Fabric Network Infrastructure
Underlay Infrastructure: LAN Automation

We can have 5 simultaneous Lan automation sessions with one session per site.

LAN automation Enhancements YouTube Video with Demo

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 Fabric Network Infrastructure
Underlay Infrastructure: LAN Automation Enhancements Cisco Catalyst
Center
• Simultaneous LAN Automation sessions is supported from Cisco
Catalyst Center release 2.3.5.x .
• Simultaneous LAN Automation sessions:
• This feature will allow customers to initiate up to 5 multiple LAN
Automation sessions with one session per site.
• Zero Touch onboarding of PNP ready switches at 5 different sites.
• Dedicated LAN Automation landing page with a new workflow to Seed Seed Seed Seed
initiate LAN Automation.
• As part of LAN Automation enhancements, user can Add or
Delete L3 links which helps customers to better manage links
through customization.
• Deleting is permitted on an existing link that have previously been
configured by LAN Automation.
▪ From Cisco Catalyst Center 2.3.7.x:
▪ The LAN automation workflow will now support the assignment of IP
address pools using the /27 , /28 subnet masks.
▪ The LAN automation workflow allows for customization of loopback IP
addresses for onboarded devices. Site 1 Site 5
▪ The modification of the loopback address for the SD-access fabric is
not supported.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Fabric Network Infrastructure For Your
Reference
Underlay Infrastructure: LAN Automation

Day 0 Day N

Customization of Loopback IP Address

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
The Knowledge Vault ..

BRKENS-2800
Cisco SD-Access Zero-Touch Provisioning Using LAN Automation

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 Data Center Fabric Underlay Layer 2 Access
SD-Access Network Migration Site 2
Cisco
(Migration Site 1)
Catalyst
ISE Center DHCP, DNS, AD
(Services)

Critical Services Seamless Internet

Migration Site 3 Migration Site 4

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Progress Chart

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
How to Connect a
SD-Access Network
to Layer 2 Access
Networks
Migration Site 2

Layer 3 ↑
Layer 2 ↓

Layer 2 Switch

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Migration Site 2

Catalyst 9000 Series Switches

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Migration Site 2

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
SD-Access Network
(Migration Site 2)

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 SD-Access Network
(Migration Site 2)

Extended Nodes

Classic Extended Node

Extended Nodes Extended Nodes Policy Extended Node

Supplicant-Based
Extended Node

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 SD-Access Network
(Migration Site 2)

Catalyst 9000 Series Switch Catalyst 9000 Series Switch

As Policy Extended Node As Policy Extended Node

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 SD-Access Network
(Migration Site 2)

Catalyst 9000 Series Switch Catalyst 9000 Series Switch

As Extended Node – Catalyst Essentials As Policy Extended Node – Catalyst Advantage

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
 SD-Access Network
(Migration Site 2)

Catalyst 9000 Series Switch Catalyst 9000 Series Switch

As Extended Node – Catalyst Essentials As Policy Extended Node – Catalyst Advantage

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cisco SD-Access
Layer 2 Access

Layer 2 Access

Enterprise
IOT
(Catalyst 9000)

Supplicant-
Policy Policy
Extended Node Based Extended Node
Extended Node Extended Node
Extended Node

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cisco SD-Access
Layer 2 access
Catalyst 9000 Series Switches IOT Switches

❖ EX with Essentials is supported from ❖ EX with Essentials is supported from

2.3.3.x. 2.3.3.x

❖ Daisy Chain support from 2.3.3.x ❖ Daisy Chain support from 2.2.2.x

❖ A maximum of three devices can be ❖ Liner daisy Chains of up to 18

connected in a daisy chain.
❖ No REP Ring Support ❖ REP Ring Support from 2.3.3.x.
❖ Ring of Rings not Supported
❖ Rep Ring should consist of either ENs or PENs
❖ Dynamic addition of EN/PEN to ring is not
supported
❖ A single REP Ring should begin and end on the
same Fabric Edge node.
Daisy Chain REP Ring

❖ SBEN Support starting 2.3.3.x ❖ No SBEN Support

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Cisco SD-Access For Your
Reference
Layer 2 Access
Design Considerations
• The option to utilize the Catalyst 9000 series switches as Extended Node (EN) with Essentials is accessible starting from Cisco Catalyst Center version
2.3.3.x and onwards. Users have the capability to transition the switch to PEN via the Cisco Catalyst Center workflow post-upgrading their license to
Catalyst Advantage.

• Catalyst 9000 series switches such as Extended Node (EN) , Policy Extended Node (PEN) , Supplicant-Based Extended Node (SBEN) can be daisy
chained when onboarded by Cisco Catalyst Center from 2.3.3.3 and later. A maximum of three Catalyst 9000 devices can be connected in a daisy
chain.

• Factory default switches that are supported and connected to Fabric Edge (FE) node closed authentication ports can be onboarded automatically,
providing network protection from unauthorized devices through the maintenance of closed authentication on all Edge Node ports. These are referred
to as Supplicant-Based Extended Nodes (SBEN), which are supported from the Cisco Catalyst Center release 2.3.3.x and onwards.

• Designed to onboard EN using Plug and Play (PNP) in a zero-trust environment, SBEN onboarding provisions these nodes as Policy Extended Nodes,
utilizing Security Group Tags (SGTs) for micro-segmentation. However, SBEN only supports a maximum of one physical uplink port, with EtherChannel
not being supported.

• Supported Catalyst 9000 Daisy chain combinations include:

• Daisy chain of Extended Nodes For more details Cisco Software-Defined Access
• Daisy chain of Policy Extended Nodes on Platform support: Compatibility Matrix
• Daisy chain of Supplicant-Based Extended Nodes
• Daisy chain starting with PEN and followed by SBEN

• In non-carpeted spaces, starting with 2.2.2.x, only IoT switches (Such as Industrial Ethernet Switches) can join as Extended or Policy Extended Nodes
in linear chains of up to 18; REP Rings for them require Catalyst Center workflow starting at 2.3.3.x.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 The Knowledge Vault ..

• Cisco SD-Access - Catalyst 9000 as Policy Extended Nodes You Tube Video With Demo

• Cisco SD-Access – Supplicant Based Extended Nodes YouTube Video With Demo

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Data Center Fabric Underlay Layer 2 Access
SD-Access Network SD-Access Network
Cisco
(Migration Site 1) (Migration Site 2)
Catalyst
ISE Center DHCP, DNS, AD
(Services)

Critical Services Seamless Internet

Migration Site 3 Migration Site 4

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Progress Chart

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Simplified
Critical Services
access
SD-Access Extranet
Border Node Selection For Your
Reference
Key Takeaways
1. Do I need to import BGP-learned routes into the LISP database?
▪ Either Internal-only or Anywhere

2. Which border option fits most use cases?

▪ External-only

3. What are the checkboxes for Border Node selection:

• Internal-Only Border
• Registers external prefixes with the Control Plane Node

• External-Only Border
• Does not import external prefixes into fabric domain
• Does not register prefixes with the Control Plane Node
• Fabric Gateway of Last Resort

• Internal + External
• Registers external prefixes with the Control Plane Node
• Fabric Gateway of Last Resort

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Cisco SD-Access
Critical Services
• Simplified Critical Services such as Shared Services and Internet with minimum configuration

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
 Border Deployment Options
Shared Services (DHCP, AAA, etc..) with Border
ip vrf USERS
rd 1:4099
route-target export 1:4099
route-target import 1:4099

Cisco SD-Access Border connecting External Domain with existing !

route-target import 1:4097

Global Routing Table should use a Peer Device with MP-BGP & VRF
ip vrf DEFAULT_VN
rd 1:4098
route-target export 1:4098

import/export. route-target import 1:4098

route-target import 1:4097

ip vrf GLOBAL
rd 1:4097
route-target export 1:4097
Control Plane route-target import 1:4097
route-target export 1:4099
VRF B T5/1
route-target export 1:4098

SVI B
SVI B AF VRF B G0/0/0.B
ISIS BGP
GRT/VRF
T5/2
SVI A
AF VRF A G0/0/0.A

T5/8 G0/0/0 G0/0/3

T1/0/1 T5/1
AF IPv4
Edge Node Border MP-BGP Peer
Node Device

VRF A External
SVI A Domain

Route Leaking Example

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Cisco SD-Access
Current Network Challenges
• Endpoints in an SD-Access Fabric Site are in an overlay Virtual Network (VRF Routing
Table)
• Endpoints need access to Internet and critical Shared Services such as DHCP, DNS, and AD.
• Shared Services are located outside the Fabric Site, usually in a Data Center.
• Shared Services are generally in the GRT although may be in a dedicated Shared Services
VRF.
• VRF route leaking is needed to leak Fabric Virtual Networks to the Shared Services routing
table.
• This configuration is done manually outside of the Fabric (think “fusion router”).

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Cisco SD-Access Extranet
Solution Introduction
• LISP Extranet provides flexible, and scalable method for providing access to Shared Services
and access to the Internet to endpoints inside the Fabric.
• This simplifies SD-Access Fabric deployments by providing a policy-based method of VRF
leaking.
• LISP Extranet helps avoiding route-leaking outside Fabric Site by addressing the leaking natively
in LISP.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Cisco SD-Access Extranet
SD-Access Extranet Policy

Subscribers Providers
VN Employees

VN Contractors Shared Services

DHCP

VN IOT DNS
AD

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
 For Your
Reference
Cisco SD-Access Extranet
Definition of Terms
Provider Virtual Network

• Contains a shared services resources such as DHCP, DNS, or even Internet.

Subscriber Virtual Network

• Contain endpoints, hosts, and users that need to access shared services resources.
• Fabric Layer 3 Virtual Network

Extranet Policy
• Describes the relationship between a Provider Virtual Network and one or more Subscriber Virtual
Networks.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
 Cisco SD-Access Extranet

DHCP, DNS, AD
DHCP, DNS, AD (Shared Services)
(Shared Services)

Peer Device
PVN VRF-lite
Employees VN handoff Contractor VN handoff handoff

LISP Extranet Policies reside

on Control Plane/Transit
Control Plane Nodes

SD-Access Network
SD-Access Network (Migration Site 3)
(Migration Site 3)

Subscriber VN Subscriber VN
VN ”Employee” VN “Contractor”
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Cisco SD-Access Extranet
Extranet Policy Details
• Extranet policy is orchestrated and maintained via Cisco Catalyst Center.

• Supported from Cisco IOS_XE 17.9 and Cisco Catalyst Center 2.3.4.x
• Extranet Policy can be associated to one or more Fabric Sites connected via IP transit/SD-
Access transit.
• With Extranet, user only need to perform layer 3 handoff for Provider VNs from Border nodes.
• Allows communication from the Subscriber Virtual Networks to the Provider Virtual Network.
• Allows communication from the Provider Virtual Network to the Subscriber Virtual Networks.
• Contains a single Provider Virtual Network
• Contains one or more Subscriber Virtual Networks SD-Access Extranet policy:
Extranet Policy Provider VN Subscriber VN
• Denies Subscriber to Subscriber communication
Provider VN NO YES

Subscriber VN YES NO

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 For Your
Reference
Cisco SD-Access Extranet
Considerations
• Extranet policies are supported with Lisp Pub/Sub fabric only

• A Provider Virtual Network in one Policy cannot be a Subscriber Virtual Network in another Policy.

• A Subscriber Virtual Network in one Policy cannot be a Provider Virtual network in another Policy.

• Provider VN can be a dedicated VN or INFRA_VN (INFRA_VN cannot be a subscriber VN).

• A Virtual Network can be a Provider in only one Policy.

• Virtual Networks can be a Subscriber in one or more Policies.

• Provider to Provider communication is not supported.

• Subscriber to Subscriber communication is not supported.

• Extranet is not meant to leak Fabric VRF to Fabric VRF.
• If two devices inside the Fabric need to communicate with one another, put them in the same Virtual Network.

• Multicast leveraging Extranet functionality is not supported ( If Multicast traffic stays within a VN, then it is supported. E.g.,
RP,Source,Receiver within a VN )

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Cisco SD-
Access Extranet
Packet Flows
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

• All virtual networks (VNs) within the fabric require 1

PVN VRF-lite
handoff

connectivity to shared services, which are

connected to the fabric border through a Provider
VRF called "Shared Services." These routes are
imported into the Provider VRF "Shared Services"
in LISP. SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
SD-Access Extranet – Shared Services

• Admin creates SD-Access Extranet policy via Cisco DHCP, DNS, AD Cisco Catalyst
Catalyst Center workflow which is configured in Control (Shared Services) Center

2 Plane node.
PVN VRF-lite
2 handoff
Extranet Policy :

▪ Provider VN is “ Shared Services”

▪ Subscriber VN is “Employee”
▪ Subscriber VN is “Contractor”
SD-Access Network

* Only 1 Provider VRF is allowed per extranet policy instance. (Migration Site 3)

• Multiple subscribers are allowed.

Subscriber VN Subscriber VN
• At this stage, CP knows about users ( host entries) in “Contractor”
”Employee”
respective virtual networks and their location(Edge node).

• CP also knows about shared service prefixes via Border

(Border is either Internal or Anywhere)

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

3
• Host in Virtual Network Subscriber VN PVN VRF-lite
handoff
Employee on Edge node wants to
communicate with server in Shared Services
(Shared Services VN)

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”
3

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

4
• Edge node with Virtual Network Employees PVN VRF-lite
handoff
sends a map-request to the control plane
node requesting to reach Server in Shared
Services

4
SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

5
PVN VRF-lite

• Control Plane node is going to first look at the handoff

source VN which is Subscriber VN Employee

for shared service subnet which will be 5
absent.
SD-Access Network
• Second lookup would be in Provider VN (Migration Site 3)

Shared Services as Employee is part of an

extranet policy where the prefix will be
Subscriber VN Subscriber VN
present. ”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

• Control Plane node will respond with map- PVN VRF-lite

handoff

reply with Provider VN Shared Services

information to the Edge node

6 SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

7 • Edge node will send the data plane traffic

(VXLAN encapsulated ) to the Border node in PVN VRF-lite
handoff

Provider VN Shared Services.

7
SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

8 • Border node will de encapsulate the VXLAN

traffic and send the IP traffic to external world PVN VRF-lite
8 handoff
(Shared Services)

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

9 • Return traffic from shared services is going to

ingress at the Border node in Provider VN PVN VRF-lite
9 handoff
Shared Services.

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

10
• Border node will not have destination host
information in the Provider VN Shared
PVN VRF-lite
handoff

Services. A policy is defined on the border

where the ingress packet is always looked up 10

in the respective subscriber VN.

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
SD-Access Extranet – Shared Services

DHCP, DNS, AD Cisco Catalyst

(Shared Services) Center

11 • Border node will send the data plane traffic

(VXLAN encapsulated ) to the Edge node in PVN VRF-lite
handoff
Subscriber VN Employee.

11
SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
SD-Access Extranet – Internet

Internet

1
PVN VRF-lite
1 handoff

• Border connects to Internet.

• All user VN’s in fabric needs connectivity to

Internet.
SD-Access Network
(Migration Site 3)
• Internet will connect to a Provider VRF named as
“Internet” that is only present on the fabric border.
Subscriber VN Subscriber VN
”Employee” “Contractor”
• Internet prefixes are not known to the Border
nodes.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
SD-Access Extranet – Internet

Cisco Catalyst
Center
• Admin creates SD-Access Extranet policy via Internet

Cisco Catalyst Center workflow which is

2
configured in Control Plane node.
PVN VRF-lite
2 handoff

Extranet Policy :

▪ Provider VN is “ Internet”
▪ Subscriber VN is “Employee”
▪ Subscriber VN is “Contractor” SD-Access Network
(Migration Site 3)

* Only 1 Provider VRF is allowed per extranet policy

instance.
Subscriber VN Subscriber VN
• Multiple subscribers are allowed. ”Employee” “Contractor”

• At this stage, CP knows about users ( host

entries) in respective virtual networks and their
location(Edge node).

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
SD-Access Extranet – Internet

Internet

3
• Host in Virtual Network Subscriber VN PVN VRF-lite
handoff
Contractor on Edge node wants to reach a
prefix on the Internet which is reachable via
default route in Provider VN Internet

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”
3

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
SD-Access Extranet – Internet

Internet

4
• Edge node with Virtual Network Subscriber PVN VRF-lite
handoff
VN Contractor sends a map-request to the
control plane node requesting to reach prefix
in Internet.
4
SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
SD-Access Extranet – Internet

Internet

• Control Plane node is going to first look at the PVN VRF-lite

handoff

source VN which is Subscriber VN Contractor

for internet prefix which will be absent.
5

• Second lookup would be in Provider VN

Internet as Contractor is part of an extranet SD-Access Network
(Migration Site 3)
policy where the prefix will be absent.

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
SD-Access Extranet – Internet

Internet

• If no registration is found for the prefix in both PVN VRF-lite

handoff

source VN Subscriber VN Contractor and

Provider VN Provider VN Internet then,
Control Plane node will respond to Edge
node with a map-reply informing edge node 6
to send the traffic to Border using Provider
VN Internet which has default route present SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
SD-Access Extranet – Internet

Internet

7 • Edge node will send the data plane traffic

(VXLAN encapsulated ) to the Border node in PVN VRF-lite
handoff
Provider VN Internet.

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
SD-Access Extranet – Internet

Internet

8 • Border node will de encapsulate the VXLAN

traffic and send the IP traffic to external world PVN VRF-lite
8 handoff
(Internet)

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
SD-Access Extranet – Internet

Internet

9 • Internet traffic is going to ingress at the

Border node in Provider VN Internet PVN VRF-lite
9 handoff

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
SD-Access Extranet – Internet

Internet

10
• Border node will not have destination host
information in the Provider VN Internet. A PVN VRF-lite
handoff

policy is defined on the border where the

ingress packet is always looked up in the 10

respective subscriber VN.

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
SD-Access Extranet – Internet

Internet

11 • Border node will send the data plane traffic

(VXLAN encapsulated ) to the Edge node in PVN VRF-lite
handoff
Subscriber VN Contractor.

11

SD-Access Network
(Migration Site 3)

Subscriber VN Subscriber VN
”Employee” “Contractor”

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
SD-Access Extranet – Subscriber to Subscriber policy
How Subscriber to Subscriber policy is denied ? Flow Event
1 • Admin creates SD-Access Extranet policy via Cisco Catalyst Center workflow
which is configured in Control Plane node.

Extranet Policy :
1 ▪ Provider VN is “ Shared Services”
▪ Subscriber VN is “Employee”
▪ Subscriber VN is “Contractor”
2
3 2 • Host on a subscriber VN (Employee) tries to initiate a communication to
another host in the subscriber VN(Contractor)

4 3 • The respective edge node generates a map request to the control plane.

4 • Map server responds back with a map-reply with the action set to drop the
frame
5
5 • Edge node installs the entry in map-cache and CEF to drop the frame, thus
blocking subscriber to subscriber communication

• Fabric edge installs entry in map-cache and CEF to drop

traffic between Subscribers

Fabric_edge#show ip lisp instance-id 4105 map-cache 9.10.61.0

LISP IPv4 Mapping Cache for LISP 0 EID-table vrf corp (IID 4105), 7 entries

9.10.61.0/24, uptime: 00:00:04, expires: 00:14:55, via map-reply, drop

Sources: map-reply
State: drop, last modified: 00:00:04, map-source: 9.254.254.66
Active, Packets out: 0(0 bytes), counters are not accurate

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
SD-Access Extranet Automation Workflow For Your
Reference

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SD-Access Extranet Automation Workflow For Your
Reference

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
SD-Access Extranet Automation Workflow For Your
Reference

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
SD-Access Extranet Automation Workflow For Your
Reference

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
 Cisco SD-Access Extranet For Your
Reference
Single Site Example

Extranet Policy created on Cisco Catalyst Center: DHCP, DNS, AD

(Shared Services)

VN Policy Name Provider VN Subscriber VN

P1 Shared Services Corp Shared Services

LISP Extranet Policies VRF-lite handoff
reside on Control
Plane/Transit Control Plane
Nodes

Configuration Extranet Policy

extranet p1
eid-record-provider instance-id 4104 show lisp extranet p1 instance-id 4104
ip-any LISP Extranet policy table Cisco SD-Access
exit-eid-record-provider Home Instance ID: 4104 Network
! Prov/Sub Source InstID EID
eid-record-subscriber instance-id prefix
4105 Provider Default ETR Reg V4 4104
9.10.60.0/24 Subscriber Config 4105 Subscriber VN
9.10.61.0/24 9.10.60.0/24 ”Corp”-
ip-any Subscriber Config 4105 9.10.60.0/24
exit-eid-record-subscriber 9.10.61.0/24
! 9.10.61.0/24
Total entries: 3
exit-extranet

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
 Cisco SD-Access Extranet
For Your
Reference
Extranet policy configuration on Transit Control Plane
Multi-site Site Example Node:
extranet Extranet_Policy_1_Services
Extranet Policy created on Cisco Catalyst Center: eid-record-provider instance-id 4101
ip-any
VN Policy Name Provider VN Subscriber VN exit-eid-record-provider
!
eid-record-subscriber instance-id 4099
Extranet_Policy_1_Ser Services Campus
ip-any
vices exit-eid-record-subscriber
!
exit-extranet
Extranet policy configuration on Control Plane Node: Internet

extranet Extranet_Policy_1_Services
Services
extranet-config-from-transit
VRF-lite
eid-record-provider instance-id 4101 handoff
exit-eid-record-provider
!
exit-extranet

Extranet Policy on Local CP : SD-Access Transit Fabric Site 2

show lisp extranet Extranet_Policy_1_Services instance-id 4101 Fabric Site 1
LISP Extranet policy table
Home Instance ID: 4101
Prov/Sub Source InstID EID prefix
Provider Default ETR Reg V4 4101 Subscriber VN
Subscriber Config-Propagation 4099 172.16.8.0/24 “Campus”
Subscriber Config-Propagation 4099 172.16.42.0/24
Total entries: 3
Extranet policy
Extranet Policy on TCP nodes : configuration on
show lisp extranet Extranet_Policy_1_Services instance-id 4101
LISP Extranet policy table Control Plane Node:
Home Instance ID: 4101
Prov/Sub Source InstID EID prefix extranet Extranet_Policy_1_Services
Provider Default ETR Reg V4 4101 extranet-config-from-transit
Subscriber Dynamic 4099 172.16.8.0/24 eid-record-provider instance-id 4101
Subscriber Dynamic 4099 172.16.42.0/24 exit-eid-record-provider
Total entries: 3
!
exit-extranet

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Cisco SD-
Access Extranet
Workflow
Cisco SD-Access Extranet Workflow

Extranet Policy created on Cisco Catalyst Center:

DHCP, DNS, AD
(Shared Services) VN Policy Name Provider VN Subscriber VN

First_Policy Services Campus

Provider VN
Services VRF-lite
handoff

Cisco SD Access - Extranet Youtube Video With Demo

Cisco SD-Access
Network

Subscriber VN
”Campus”-
172.16.8.0/24

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Cisco SD-Access Extranet
Key Take Away
Overview
• Automated Route Leaking Configuration via Cisco Catalyst Center.

• Subscriber to Subscriber communication is not supported.

• Extranet is not meant to leak Fabric VRF to Fabric VRF.
• If two devices inside the Fabric need to communicate with one another, put them in the same Virtual
Network.

• If Inter-VN policy enforcement is desired on devices such as firewalls, then use traditional route
leaking.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
 Data Center Fabric Underlay Layer 2 Access
SD-Access Network SD-Access Network
Cisco
(Migration Site 1) (Migration Site 2)
Catalyst
ISE Center DHCP, DNS, AD
(Services)

Critical Services Seamless Internet

SD-Access Network
(Migration Site 3) Migration Site 4

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Progress Chart

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Seamless
Internet
Connectivity
LISP Pub/Sub
Cisco SD-Access
Seamless Internet Connectivity
• Consistent Policy across Cisco SD-Access sites.

• No loss in Internet Connectivity(Active/Backup Internet).

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Cisco SD-Access
Seamless Internet Connectivity
• Cisco SD-Access Transit

• LISP Publisher/Subscriber

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
SD-Access
Transits
Fabric Constructs
Transits – A Closer Look

Transits connect a Fabric Site to another network or another Fabric Site.

• Connect a Fabric Site to the external

world and the Data Center. Shared
Services

Internet
• Connects Fabric Site to other Fabric Data Center

Sites.
Transit

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
 Fabric Constructs
Transits – A Closer Look
IP-Based Transit SD-Access Transit

Cisco Catalyst Center

Cisco Catalyst Center MANAGEMENT

ISE SGTs in SXP

Cisco
ISE

SD-Access
SD-Access Transit
Fabric Site
Fabric Site (SD-Access)
SD-Access SD-Access
Fabric Site Fabric Site

1
1
LISP
BGP BGP CONTROL PLANE LISP LISP
LISP VRF-lite MP-BGP / Other VRF-lite LISP
1
2
802.1Q 802.1Q
SGT (16 bits) SGT (16 bits) VXLAN SGT (16 bits) VXLAN SGT (16 bits) VXLAN SGT (16 bits)
VXLAN MPLS VXLAN DATA PLANE
Header
VLAN ID (12 bits)
Labels VPN (20 bits)
VLAN ID (12 bits)
Header Header VNID (24 bits) Header VNID (24 bits) Header VNID (24 bits)
VNID (24 bits) VNID (24 bits)

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
 For Your
Reference
Fabric Constructs
Transits – A Closer Look
IP-Based Transit SD-Access Transit
• Borders hand off traffic direct to external • Maintains Cisco SD-Access constructs
domain with VRF-lite and BGP (LISP,VXLAN,CTS) natively between sites.
• End-to-end policy maintained using manual • End-to-end policy maintained using Fabric
configuration encapsulation
• Requires remapping of VRFs and SGTs to • End-to-end automated by Cisco Catalyst Center
maintain policy and segmentation between
Sites • Uses domain-wide Control Plane Nodes for inter-site
control plane communication
• Traffic between sites use external networks’
control plane and data plane protocols • Requires WAN / MAN to support a large enough MTU
for 50-byte VXLAN header or use TCP MSS

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Cisco SD-Access Deployment For Your
Reference
Multisite Deployment with SD-Access Transit

• Transit Control Plane nodes are dedicated devices with IP

reachability to every fabric site’s Border nodes

• Transit Control Plane nodes is not required to be in data

forwarding path
SD-Access Transit
• Transit Control Plane nodes maintains aggregate prefixes of all
Fabric sites
SD-Access Transit is a native solution carrying
VN and SGT between Fabric sites. • Fabric site Border node should be either External or Anywhere
border type to connect to SD-Access Transit.
Typical use cases:
o Fully automated Site-to-Site • SD-Access Transit can be deployed with LISP-BGP or LISP
connectivity Pub/Sub

o Consistent policy and end-to-end

segmentation using VNs and SGTs
o Sites in same Metro area, Campus

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
SD-Access
Control Plane
Protocols
An Introduction to LISP Pub/Sub
SD-Access Control Plane Protocol
Cisco Catalyst Center 2.2.3.x

LISP/BGP LISP Pub/Sub

• Released circa 2017 • Released in 2021
• Reliable and Stable • Reliable and Stable
• BGP Transport • Native LISP Transport
• Highly Extensible
• Faster Convergence
• Less Control Plane load.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
LISP Pub/Sub
What Challenges are We Solving?
Extensibility
• LISP Pub/Sub builds a new framework for LISP infrastructure.
• LISP Pub/Sub architecture is a building block for other features and capabilities:
• Dynamic Default Border Node
• LISP Backup Internet
• SD-Access Extranet
• Multicast across SD-Access Transit

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
LISP Pub/Sub
Architecture Introduction
• LISP Pub/Sub is new control plane protocol for SD-Access.
• It is a signaling protocol to carry information such as as prefixes, mappings, and other data.
• LISP Pub/Sub provides the capability to selectively push information.

Architecture Use Cases

• LISP Pub/Sub removes the dependency of BGP to propagate information within the Fabric Site.
• LISP Pub/Sub adds new features and capabilities because of the information it can carry.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
LISP/BGP Control Plane
Before LISP Pub/Sub
Reliance on BGP
• To push LISP Site-Registration table to another device, another protocol was needed.
• BGP was used as that transport
• This created an underlying reliance on BGP.

EBGP
EBGP IBGP Route-Reflect EBGP

Site-1

Site-1 Site-1
DC Route-Reflect
Import into map-cache Site-2
route-import database bgp
Map-Registration Map-Registration Import into map-cache

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
 For Your
Reference
LISP/BGP Control Plane
Before LISP Pub/Sub
Reliance on BGP

• With BGP, LISP only knows the prefixes, not full EID-to-RLOC mappings.
• BGP populates map-cache with an incomplete entry

• Map-cache is fully resolved through map-requests

• This mean additional control plane protocol messages.

• When BGP reconverges, map-cache needs to updated.

• This means further control plane messages

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
LISP Pub/Sub Control Plane
The Architecture Evolution
• The Control Plane Node notifies Border Nodes about mapping changes along with additional details
associated with those mappings.
• LISP Pub/Sub uses native LISP, devoid of external protocol such as BGP, to propagate the prefixes and
full mapping information.

LISP Pub/Sub LISP Pub/Sub LISP Pub/Sub

EBGP LISP Pub/Sub

Site-1

Site-1 Site-1
DC Site-2

LISP Pub/Sub
LISP Pub/Sub LISP Pub/Sub
LISP Pub/Sub
#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
 For Your
Reference
LISP Pub/Sub Control Plane
Basic Definitions – Part 1
Subscription
• The process LISP devices use to express interest for a certain portion of information within the
mapping system.

Publication
• The information that the mapping system sends to the Subscriber (the LISP device).

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
 For Your
Reference
LISP Pub/Sub Control Plane
Basic Definitions – Part 2
Subscribers
• Border Nodes

Publishers

• Control Plane Nodes/Transit Control Plane Nodes

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Publishers Subscribers

Publisher Subscriber

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
 For Your
Reference
LISP Pub/Sub
Details
• In release 2.2.3.x, LISP Pub/Sub is supported only for newly created fabric sites with devices running
IOS XE software ≥17.6.x
• Migration from LISP/BGP to LISP Pub/Sub is not currently available.
• When we upgrade Catalyst Center release to 2.2.3.x fabric sites created prior to this will continue to
operate with LISP BGP based fabric.
• Transit Control Plane Nodes can support LISP/BGP fabric sites or LISP Pub/Sub-based fabric sites, not
both simultaneously.
• The ongoing support for LISP/BGP is not planned to end, and LISP Pub/Sub is recommended for new
deployments.
• Migration workflow from LISP/BGP to LISP Pub/Sub is in development and tentatively planned for CY25.
Please reach out to Cisco for exact details/timelines.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
LISP Dynamic
Default Border
Node
LISP Pub/Sub - Dynamic Default Border
Current Network Challenges
Loss of Default Route
• If a Border Node’s losses the default route, it can take minutes for the network to converge (BGP).
• Note: This a common routing challenge that is not specific to SD-Access LISP Fabric.

Potential Ways to Solve For Loss of Default Route

• Bidirectional Forwarding Detection (BFD)
• Per-VRF IBGP between redundant Border Nodes
• EEM scripts tracking state of EBGP Peers

Note: Convergence of the network after a Border Node reload is the responsibility of the IGP in the underlay.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Fabric Gateway
of Last Resort
LISP BGP
 For Your
Reference
LISP BGP
Problem Statement
• Configure an Edge Node to use one or Border Nodes as the Fabric Gateway of Last Resort.
• Configure an xTR to use one or more PeTRs as the gateway of last resort in the Fabric Site.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
 For Your
Reference
LISP BGP
Static Solution
• Static use-petr configuration is used on all the xTRs to configure the proxy-ETR.
• When the xTR receives NMR from map server, xTRs forward traffic to this configured proxy-ETR.
• Configured proxy-ETRs cannot be changed dynamically if external connectivity at the proxy-ETR
changes.

router lisp
! Output omitted for brevity

service ipv4
itr map-resolver 192.168.10.1
etr map-server 192.168.10.1
etr
use-petr 192.168.30.7
use-petr 192.168.30.8 Static use-petr configuration
proxy-itr 192.168.30.5
exit-service-ipv4

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
LISP BGP Forwarding Logic

Host Edge Node Control Plane Node Border Node

Destination IP = 208.67.220.220
(Internet Destination)

Signal LISP

Map-Request: 208.67.220.220

Negative Map-Reply (NMR)

Consult use-petr configuration

Destination IP = 208.67.220.220
(Subsequent Packets)
Encapsulate and send to PETR

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Fabric Gateway
of Last Resort
LISP Pub/Sub
 For Your
Reference
LISP Pub/Sub - Dynamic Default Border
Problem Statement
• Configure an Edge Node to use one or Border Nodes as the Fabric Gateway of Last Resort.
• Configure an xTR to use one or more PeTRs as the gateway of last resort in the Fabric Site.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
 For Your
Reference
LISP Pub/Sub - Dynamic Default Border
Solution
• Implement LISP to monitor for the presence or absence of the default route Border Nodes.
• Do this on a per-VRF basis.

• Provide a method for the Border Nodes to registered the state of the default route to the
Control Plane Nodes.
• Dynamically program this default route state information into map-cache on the Edge Nodes.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
LISP Pub/Sub Solution Forwarding Logic

Host Edge Node Control Plane Node Border Node

Destination IP = 208.67.220.220
(Internet Destination)

Signal LISP

Map-Request: 208.67.220.220

Unknown-EID Map-Reply (UMR)

with list of Border Nodes

Populate Map-Cache with

list of Border Nodes
Destination IP = 208.67.220.220
(Subsequent Packets)
Encapsulate and send to Border Node

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
LISP Pub/Sub - Dynamic Default Border
Definition of Terms
Registration
• A Border Node tracks the state of the default route for a given VRF.
• A Border Node then notifies the Control Plane Node of the state of the default route.

De-prioritization
• A Border Node notifies the Control Plane Node of the loss of the default route.
• The Border Node registers itself with the Control Plane Node with a LISP Priority of 255.
• A LISP Priority of 255 indicates the Border Node cannot be used as a Fabric Gateway of Last
Resort.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
 For Your
Reference
LISP Pub/Sub - Dynamic Default Border
Details
• Dynamic Default Border is enabled by default when we have external borders in the fabric.
• Dynamic Default Border works only with LISP Pub/Sub-based fabrics.
• Dynamic Default Border monitors the default route on External Border/s and registers that with Control
Plane node/s
• With Dynamic Default Border, if external border/s loses upstream connectivity, fabric Edge nodes will no
longer forward traffic to those external borders, and will dynamically detect and forward the traffic via
other available external borders
• With this functionality, traffic within the fabric will quickly converge minimizing traffic loss towards border
and traverse traffic through the other border.
• This avoids the need of configuring iBGP manually between external borders.
• With Dynamic Default Border feature fabric edges will not have static “use-petr” anymore instead they
will dynamically route the traffic to the border with active default route.
• Depending on the design, Border Node/s are going to register the default route with Local/Transit
Control Plane node/s
#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
LISP Pub/Sub - Dynamic Default Border
LISP BGP

Internet

SD-Access Network
(Migration Site 4)

iBGP- Manual/Templates
eBGP- Automated

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
LISP Pub/Sub - Dynamic Default Border
LISP BGP

Internet

SD-Access Network
(Migration Site 4)

iBGP- Manual/Templates
eBGP- Automated

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
LISP Pub/Sub - Dynamic Default Border
LISP BGP

Internet

SD-Access Network
(Migration Site 4)

iBGP- Manual/Templates
eBGP- Automated

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
LISP Pub/Sub - Dynamic Default Border
LISP Pub/Sub

Internet

EB`s- Tracks Default

Route(0.0.0.0/0) Per Layer
3 VN

SD-Access Network
(Migration Site 4)

iBGP- Manual/Templates
eBGP- Automated

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
LISP Pub/Sub - Dynamic Default Border
LISP Pub/Sub

Internet

EB`s- Tracks Default

Route(0.0.0.0/0) Per Layer
3 VN

SD-Access Network
(Migration Site 4)

iBGP- Manual/Templates
eBGP- Automated

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
LISP Pub/Sub - Dynamic Default Border
LISP Pub/Sub

Internet

EB`s- Tracks Default

Route(0.0.0.0/0) Per Layer
3 VN

SD-Access Network
(Migration Site 4)

iBGP- Manual/Templates
eBGP- Automated

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
LISP Backup
Internet
LISP Backup Internet
Comparison of Functionality
Dynamic Default Border Node
• Border Convergence within a single Fabric Site.
• Results in the removal of using use-petr within the Fabric Site.

Backup Internet
• Essentially Border Convergence across an SD-Access Transit.
• Results in the removal of using use-petr within the Fabric Domain.

• LISP Backup Internet builds on top of Dynamic Default Border Node feature.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
 LISP Backup Internet

Internet
Internet
EB`s- Tracks Default EB`s- Tracks Default
Route(0.0.0.0/0) Per Layer Route(0.0.0.0/0) Per Layer
3 VN with CP/TC 3 VN with CP/TC

SD-Access Transit
SD-Access Network
SD-Access Network
(Migration Site n)
(Migration Site 4)

eBGP- Automated by Cisco Catalyst Center

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
 LISP Backup Internet

Internet
Internet
EB`s- Tracks Default EB`s- Tracks Default
Route(0.0.0.0/0) Per Layer Route(0.0.0.0/0) Per Layer
3 VN with CP/TC 3 VN with CP/TC

SD-Access Transit
SD-Access Network
SD-Access Network
(Migration Site n)
(Migration Site 4)

eBGP- Automated by Catalyst Center

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
 LISP Backup Internet

Internet
Internet
EB`s- Tracks Default EB`s- Tracks Default
Route(0.0.0.0/0) Per Layer Route(0.0.0.0/0) Per Layer
3 VN with CP/TC 3 VN with CP/TC

SD-Access Transit
SD-Access Network
SD-Access Network
(Migration Site n)
(Migration Site 4)

eBGP- Automated by Catalyst Center

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
 LISP Backup Internet

Internet
Internet
EB`s- Tracks Default EB`s- Tracks Default
Route(0.0.0.0/0) Per Layer Route(0.0.0.0/0) Per Layer
3 VN with CP/TC 3 VN with CP/TC

SD-Access Transit
SD-Access Network
SD-Access Network
(Migration Site n)
(Migration Site 4)

eBGP- Automated by Catalyst Center

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
 LISP Backup Internet

Internet
Internet
EB`s- Tracks Default EB`s- Tracks Default
Route(0.0.0.0/0) Per Layer Route(0.0.0.0/0) Per Layer
3 VN with CP/TC 3 VN with CP/TC

SD-Access Transit
SD-Access Network
SD-Access Network
(Migration Site n)
(Migration Site 4)

eBGP- Automated by Catalyst Center

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
LISP Backup Internet
Key Takeaway
• In summary, local Internet is
preferred over Backup Internet
within the Fabric Site.
• If local Internet is down for the
site, then explore other options
provided by other fabric sites
(Backup Internet).
• Select this box on Border nodes if
we want to share internet access.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
 LISP Backup Internet
Sample CLI Verification ( >17.6.2)

Internet
Internet
EB`s- Tracks Default EB`s- Tracks Default
Route(0.0.0.0/0) Per Layer Route(0.0.0.0/0) Per Layer
3 VN with CP/TC 3 VN with CP/TC

192.168.20.1 192.168.20.2
192.168.10.1

TCPN-1# show
SD-Access lisp remote-locator-set default-etrs
Transit
Codes: SD-Access Network
SD-Access Network 192.168.10.2 (Migration Site n)
(Migration Site 4) <Skipped some codes>
P = Primary/Direct in use, Backup not available
PB = Primary/Direct in use, Backup available
B = Backup in use, Primary/Direct not available
BP = Backup in use, Primary/Direct available

LISP remote-locator-set default-etr-locator-set-ipv4 Information

RLOC Pri/Wgt/Metric Inst Domain-ID/MH-ID ETR SI/ID

192.168.10.1 10/10/0 4099 1301190878/39134 Default PB/-
192.168.10.2 10/10/0 4099 1301190878/39134 Default PB/-
192.168.20.1 10/10/0 4099 338675736/51224 Default PB/-
192.168.20.2 10/10/0 4099 338675736/51224 Default PB/-

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
 LISP Backup Internet
Sample CLI Verification ( >17.6.2)

Internet
Internet
EB`s- Tracks Default EB`s- Tracks Default
Route(0.0.0.0/0) Per Layer Route(0.0.0.0/0) Per Layer
3 VN with CP/TC 3 VN with CP/TC

192.168.20.1 192.168.20.2
192.168.10.1

TCPN-1# show
SD-Access lisp remote-locator-set default-etrs
Transit
Codes: SD-Access Network
SD-Access Network 192.168.10.2 (Migration Site n)
(Migration Site 4) <Skipped some codes>
P = Primary/Direct in use, Backup not available
PB = Primary/Direct in use, Backup available
B = Backup in use, Primary/Direct not available
BP = Backup in use, Primary/Direct available

LISP remote-locator-set default-etr-locator-set-ipv4 Information

RLOC Pri/Wgt/Metric Inst Domain-ID/MH-ID ETR SI/ID

192.168.10.1 255/10/0 4099 1301190878/39134 Default B/-
192.168.10.2 255/10/0 4099 1301190878/39134 Default B/-
192.168.20.1 10/10/0 4099 338675736/51224 Default PB/-
192.168.20.2 10/10/0 4099 338675736/51224 Default PB/-

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
LISP Remote
Internet
 LISP Remote Internet
Internet
Internet
EB`s- Tracks Default EB`s- Tracks Default
Route(0.0.0.0/0) Per Layer Route(0.0.0.0/0) Per Layer
3 VN with CP/TC 3 VN with CP/TC

SD-Access Transit
SD-Access Network
SD-Access Network
(Migration Site n)
(Migration Site 4)

Remote SD-Access site

Remote SD-Access Site uses Internet from either site 4 or site n by default if Internet in those sites is shared

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
LISP Border
Node Priority
 LISP Border Node Priority

Internet
Internet
EB`s- Tracks Default EB`s- Tracks Default
Route(0.0.0.0/0) Per Layer Route(0.0.0.0/0) Per Layer
3 VN with CP/TC 3 VN with CP/TC

9
6 9

SD-Access Transit
SD-Access Network
SD-Access Network
6 (Migration Site n)
(Migration Site 4)

Remote SD-Access site

• Remote SD-Access Site always prefers Migration Site 4 as LISP priority is lower.
• Remote SD-Access Site traffic goes via Migration site n only if Site 4 has no internet(default route available)

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
UI Automation

Internet

AS path Prepend

Border Priority

SD-Access
Campus VN Fabric IOT VN

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
 For Your
Reference
Border Node Priority
Details
• Supported from Cisco Catalyst Center 2.3.3.x.

• Cisco Catalyst Center provides users the capability to select a border node to egress the fabric network traffic.

• Users can set the priority values between 1 and 9 (1 is the highest priority and 9 is the lowest. Lower number is
the preferred Border).

• By default (if user do not set a priority value), the border is assigned a priority value of 10. If border priorities are
not set ( or same across Borders), traffic is load balanced across the border nodes.

• User can modify border node priority in Day N without removing devices from fabric.

• The priority value set for a border is applicable to all the virtual networks that are handed-off from that border.

• If an SD-Access Transit interconnects the fabric sites, an external border with the Lowest priority is chosen to
send traffic to external networks.

• Supported with both LISP Pub/Sub and LISP BGP fabrics.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
 Per Border Ingress steering with AS path For Your
Reference
Prepend
Details
• With Cisco Catalyst Center 2.3.7.x release, we will support ingress steering (influences incoming traffic) per Border node with AS
path Prepend which is achieved by redirecting traffic via route-map configurations.

• The addition of AS Prepend as the Ingress Steering feature allows fabrics to designate specific Border Nodes to receive incoming
traffic from outside the fabric.

• This functionality also enables fabrics to define fallback Border Nodes in case other devices fail to receive traffic. It is important to
note that this feature is distinct from Border Priority, which focuses on traffic within the fabric or egress steering. Ingress Steering,
on the other hand, determines which device should receive traffic from outside the fabric.

• The benefits of AS path prepending include influencing incoming traffic, load balancing, ensuring a proper return path, avoiding
congestion, enhancing application performance, and aiding in troubleshooting issues.

• It is disabled by default and can be enabled via a radio button per Border node.

• Input can be between 1 to 10.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
 Per Border Ingress steering with AS path For Your
Reference
Prepend
route-map PREPEND-AS-PATH permit 20
set as-path prepend 65001 65001 65001 ( User selected Prepend value to be 3)

router bgp 65001

address-family vpnv4
bgp redistribute-internal
address-family ipv4 vrf Campus
neighbor 172.16.7.2 route-map PREPEND-AS-PATH out

Configuration pushed on Border Nodes

• Once selected, Catalyst Center will push new/modify configurations involving BGP neighbors with PREPEND_AS_PATH route map with selected
length.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
 For Your
Reference
The Knowledge Vault ..
For More Information
• Deep Dive on LISP Architecture: LISP Architecture Evolution - New Capabilities Enabling SD-
Access - BRKENS-2828
• Design best Practices: Cisco SD-Access Best Practices - Design and Deployment - BRKENS-
2502
• Information on SD-Access Transits: Cisco SD-Access – Connecting Multiple Sites in a Single
Fabric Domain - BRKENS-2815

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Cisco SD-Access
Seamless Internet Connectivity – Take Away
• Using the SD-Access transit, packets are encapsulated between sites using the fabric VXLAN
encapsulation. This natively carries the macro (VRF) and micro (SGT) policy constructs
between fabric sites.
• Cisco SD-Access transit built with LISP Pub/Sub has built in functionalities such as :
• Dynamic Default Border
• LISP Backup Internet
• SD-Access Extranet
• Multicast over SD-Access Transit
• LISP Remote Internet (supported with LISP BGP as well)
• Border Priority (supported with LISP BGP as well)
• Per Border Ingress steering with AS path prepend(supported with LISP BGP as well)

• All the above functionalities are automated via Cisco Catalyst Center

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
 Data Center Fabric Underlay Layer 2 Access
SD-Access Network SD-Access Network
Cisco
(Migration Site 1) (Migration Site 2)
Catalyst
ISE Center DHCP, DNS, AD
(Services)

Critical Services Seamless Internet

SD-Access Network SD-Access Network

(Migration Site 3) (Migration Site 4)

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Progress Chart

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Connecting SD-
Access Network to
Data Center
Cisco SD-Access
Datacenter
• Consistent Policy between Campus and Datacenter domains in an acquisition

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
 Cisco
Catalyst
ISE Center DHCP, DNS, AD
(Services)

Data Center

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
 ACI
SGT and EPG SGT and EPG

REST API pxGrid

ACI Spine
SD-Access Network
(Migration Site 1)

ACI Leaf

Common Policy Groups

Data Center

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
 Allows contract to be built ISE Exchanges:
from Doctor EEPG to EMR EPG
Group Name: Doctor (Learned as EEPG)
SGT Binding Shared = 10.1.10.220
ACI Policy Domain
EMR EPG = Cisco SD-Access Policy Domain
ACI Spine ISE Retrieves:
10.1.100.52 is
Group Name: EMR EPG propagated
SD-Access Network
Binding Shared: 10.1.100.52 via SXP (Migration Site 1)
x
SRC:10.1.10.220
ACI Leaf
DST: 10.1.100.52 SRC:10.1.10.220
EPG DST: 10.1.100.52
EEPG Name = Doctor BGP/ (VRF-Lite)
Member = 10.1.10.220
EMR
10.1.100.52

SGT
Doctor
SRC:10.1.10.220 10.1.10.220
DST: 10.1.100.52

Data Center

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
 ACI
SGT and EPG SGT and EPG

REST API/pxGrid pxGrid

ACI Spine
Cisco ISE
SGTs deployed to DC
ACI Leaf

SGT 1 SGT 2 EPGs/ESGs retrieved from DC SGT 1 SGT 2

SGT 3 SGT 4 SGT 3 SGT 4

• Multi-Tenant
EPG 1 EPG 2
• Multiple L3Outs EPG 1 EPG 2

ESG1 ESG 2
• Multi-Pod ESG1 ESG 2

• Multi-VRF
• Filter SGTs sent to DC
• Filter EPGs/ESGs sent to
campus

Data Center
Cisco ISE 3.4, ACI 6.1(1) - LA for Solution
Cisco ISE 3.4 Patch 1, ACI 6.1(2) - GA
#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
 ACI Policy Domain

5.Establish the corresponding contract Or add

the group to existing contract SGT and EPG SGT and EPG

1.REST API/pxGrid pxGrid

Tenant 1
SGT 1 SGT 2
Cisco SD-Access Policy Domain
ACI Spine
SGT 3 SGT 4 SD-Access Network
(Migration Site 1)
2a.Upon establishing a successful connection over API, ISE
sees all EPGs/ESGs , Tenants.
ACI Leaf

2b.User can subscribe to required IP to EPG/ESG through

pxGrid.
EPG 1 EPG 2
L3Out

*SGT 1 3.Outbound Rule 1 from ISE:

Send SGT 1 & 2 (converted to EEPG) to Tenant 1 L3out
* SGT 2

Tenant 2

ACI Spine

4.Outbound Rule 2 from ISE:

ACI Leaf Send SGT 3 & 4 (converted to EEPG) to Tenant 2 L3out

SGT 1 SGT 2
ESG1 ESG 2
L3Out
SGT 3 SGT 4

* SGT 3

Policy Enforcement Domain

* SGT 4

*SGT converted to EEPG

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
 ACI Policy Domain

SGT and EPG SGT and EPG

IP/SGT mapping to SD-
1.REST API/pxGrid pxGrid Access via SXP
Tenant 1
Cisco SD-Access Policy Domain
ACI Spine
*EPG 1 *ESG1 SD-Access Network
(Migration Site 1)
SGT Domain VN1 SGT Domain VN2
ACI Leaf
2a.Upon establishing a successful connection over API, ISE
sees all EPGs/ESGs , Tenants.
EPG 1 EPG 2
L3Out
2b.User can subscribe to required IP to EPG/ESG through
pxGrid.

Tenant 2 3. SGT Domain inbound rule from ISE to put the EPG
1(converted to SGTs) from Tenant 1 into SGT domain VN 1 to
ACI Spine send it to destination

ACI Leaf

VN1 VN2
4. SGT Domain inbound rule from ISE to put the ESG
ESG1 ESG 2
L3Out 1(converted to SGTs) in Tenant 2 into SGT domain VN 2 to SGT 1 SGT 2

send it to destination
*EPG 1 *ESG1

*EPG converted to SGT Policy Enforcement Domain

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
 ACI Policy Domain

SGT and EPG SGT and EPG

REST API/pxGrid pxGrid

Tenant 1
Cisco SD-Access Policy Domain
ACI Spine *EPG 1 Send SGTs and IP:SGT
SD-Access Network
mappings over pxGrid
(Migration Site 1)
SGT Domain
Firewall
ACI Leaf
SGT In-line Tagging
EPG 1 EPG 2
L3Out 802.1Q

Policy Enforcement Domain

Tenant 2

ACI Spine
SGT DGT Contract

SGT 1 EPG 1 Deny

ACI Leaf
• ISE subscribes to selected ESGs/EPGs in ACI fabric
SGT 1 SGT 2
• ESGs/EPGs sent to firewall for enforcement
ESG1 ESG 2
L3Out

*EPG converted to SGT

*EPG converted to SGT

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
The Knowledge Vault ..

• Available in Previous BRKENS-2811 Sessions:

• Policy Enforcement on Firewall With Demonstration
• Consistent Policy Propagation over Cisco SD-WAN network

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
 For Your
Cisco SD-Access to Cisco ACI Reference

Details

• Current SD-Access to ACI Integration:

• Policy Plane Integration between ISE and APIC via REST API
• SGT/EPG exchange between ISE & APIC (no ESG)
• Policy enforcement possible in SDA/ISE or ACI
• Design Considerations: Single APIC, Tenant, VRF & L3Out
• SD-Access to ACI Integration with Multi-Tenant/VRF/L3Out will be available as Limited availability fashion
from Cisco ISE 3.4, ACI 6.1(1) and Generally Available from Cisco ISE 3.4 Patch 1, ACI 6.1(2).(Reach out
to Cisco for exact details/timelines)

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Progress Chart

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Global Partner Solution Advisors
NEW - Fully Virtualized, SD-Access Secure Campus Lab
Virtualized SD-Access Lab CTF Mission Contact
• Fully Customizable Topology with • Experience the SD-Access Virtual • GPSA is your source for no-
virtualized 9kv’s and 8kv’s Lab at Capture the Flag in The World cost, partner enabment and
• Access on dCloud or build on your of Solutions practice building!
existing Data Center • Use Cases – Fabric Sites and Virtual • Visit the Global Partner
• Fraction of the cost Network Provisioning, Fusion Experience booth (4227) across
• GPSA mentored lab buildout Automation, Extranet, Micro from Capture the Flag, for more
support available! Segmentation, and more! information.

Virtual SD-Access GPSA Sales CTF at Cisco Live

Lab on dCloud Connect Page Check out Secure
Campus Section

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
 New Feature

Catalyst Leadership in Enterprise Networks

Enhanced

A Platform based Approach

Catalyst Center and Meraki Dashboard Secure Networking Digital Experience Operational Simplicity

Common Cloud Managed

28M Network Devices Managed

Campus Automation
Policy Catalyst

50% Y/Y 19M APs | 6M Switches | 2.5M Routers | 830M Clients

Secure Equipment AI Endpoint Infrastructure
Access Analytics as a Code

13M 15.3M SD-Access Digital Experience S3 & CloudWatch

Devices on Devices on (LISP & EVPN) ThousandEyes Integration
Catalyst Center Meraki Dashboard
High-speed Visibility, Control
AI Ops & Assurance
Encryption & Rollback

Catalyst 9000 Family

100,000+ Customers, Millions of Switches

Catalyst 9K continues to be the fastest

ramping product in the company's
history - Chuck Robbins, CEO Cisco Systems
Cisco Validated Profiles Industry Industry Cisco Modeling
(CVP) Validated Reports Certifications Labs
* During this session, we covered
#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
 Effortlessly Deploy Your Fabric of Choice
LISP Fabric is the leading choice for Enterprise customers!

• Simple: Standards-based, Campus optimized

LISP BU recommended Control Plane

• Efficient: Lightweight, unparalleled scale & high

Ongoing EFT VXLAN performance due to rapid convergence time
• Extend fabric across DC & Fabric • Extensible: Highly extensible to drive innovation
Campus BGP (PubSub, Multi-site, Extranet)

• Multi-vendor deployment EVPN • Robust: Integrated wireless w/ L2 mobility

• Wireless over the top

Fabric support campus wide

• Network segmentation

One Infrastructure | Single Data Plane | Consistent Zero-Trust Experience

 Cisco SD-Access LISP Collaterals
Cisco Software-Defined Access Cisco Software-Defined Access Cisco Solution Validated Profiles (CVPs)
for Industry Verticals Enabling intent-based networking

• Cisco Large Enterprise and Government Profile

• Healthcare Vertical
• Financial Vertical
• Healthcare Vertical
• Manufacturing Vertical
• Retail Vertical
• University Vertical

Cisco SD-Access YouTube Link

Cisco SD-Access Design Tool
EN&C Validated Designs
The Latest SD-Access
Guides

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Platform Support
Cisco Catalyst Center Data Sheet
Platform support based on the Fabric Role

Cisco Software-Defined Access

For more details: Compatibility Matrix

Supported Hardware and Software Version for all Cisco SD-

Access components

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Cisco SD-Access Scale Details

For more details:Cisco Catalyst Center Data Sheet

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Summary and What’s Next
• Thank you. We can’t do this without you! ☺
• Keep sharing the feedback. We are listening.
• Ask the Cisco Sales or CX teams for help.
• Ask questions on the Cisco SD-Access communities:
http://cs.co/sda-community
• Go Cisco SD-Access!

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Complete Your Session Evaluations

Complete a minimum of 4 session surveys and the Overall Event Survey to be

entered in a drawing to win 1 of 5 full conference passes to Cisco Live 2025.

Earn 100 points per survey completed and compete on the Cisco Live
Challenge leaderboard.

Level up and earn exclusive prizes!

Complete your surveys in the Cisco Live mobile app.

#CiscoLive BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting

• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library
for more sessions at
www.CiscoLive.com/on-demand

Contact me at: Via Webex App at -

https://ciscolive.ciscoevents.com/
ciscolivebot/#BRKENS-2811

BRKENS-2811 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
Thank you

#CiscoLive