遷移到多區域交換矩陣 - 為基于云和 Colo 的大規模 SD-WAN 網絡轉換和簡化基于中間英里的網絡設計.pdf

《遷移到多區域交換矩陣 - 為基于云和 Colo 的大規模 SD-WAN 網絡轉換和簡化基于中間英里的網絡設計.pdf》由會員分享，可在線閱讀，更多相關《遷移到多區域交換矩陣 - 為基于云和 Colo 的大規模 SD-WAN 網絡轉換和簡化基于中間英里的網絡設計.pdf（88頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveHamzah Kardame Leader,Product ManagementTahir AliTechnical Leader,Technical MarketingMigration to Multi-Region FabricTransform and Simplify Middle-mile Based Network Designs for Large Scale,Cloud and Colo based SD-WAN NetworksBRKENT-2651 2023 Cisco and/or its affiliates.All right

2、s reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questio

3、ns in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENT-26513Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBrief overview and why MRFMRF A quick lookDesign c

4、onsiderationsMigration stepsMigration fromOMP CoreBGP CoreConclusionBRKENT-26514 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout Me-Hamzah K Management,SD-WAN20102010-20162016WW TAC LeadWW TAC LeadCCIE Security 3559620172017-20202020Technical Leader,TMETechnical Lead

5、er,TMEViptela integrationSD-WAN for MSPsCSC WebcastAsk the ExpertWebinarsCisco BlogsC GuidesTech Field DayExperienceExpertiseWAN,SD-WAN and Network SecurityPKI,TLS,IKEv1/v2/IPsec,DMVPN,GETVPN,FlexVPN,WAAS,Cisco Firewalls,AnyConnectFeaturedBRKENT-26515 2023 Cisco and/or its affiliates.All rights rese

6、rved.Cisco Public#CiscoLiveAbout Me Tahir Alihttps:/ Marketing,SD-WAN20062006-20152015Pre-salesPost-salesOperationsPartners/MSPs20152015-Present Present Viptela integrationFeature DevelopmentSolution DesignCCIE#26070(Emeritus)CCIE#26070(Emeritus)Service ProviderSecurity Data CenterAWSAWS-SASARedHatR

7、edHatExperienceExpertiseRouting/Security SD-WAN Fabric and PoliciesMulti-Region FabricSD-WAN SecurityCertificationsBRKENT-23126Overview&Why Multi-Region Fabric(MRF)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWAN is evolving to a service exchangeThe internet is changing

8、 froma network-of-networks toa network of data centersSDCI*and multiple provider backbonesLarge POP and Colo footprintShort-term contracts,usage-basedTrending toward single ISPfirst-mile accessOn demand*SDCI Software Defined Cloud Interconnect CSP DCPrivate DCThinedgeWAN+CoreQoE+CSP specific pathsSa

9、aSThinedgeCompressed first mile accessIGPpath selectionInternetSP accessSDCI provider backboneCSP private accessRegional Peering EdgeBRKENT-22928 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTypical WAN Design BlueprintMSP Mid-mileSDCI Mid-mileCSP Mid-milePrivate/ENT Mi

10、d-mileBRKENT-22929 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWithout multi-region fabricMiddle-mile backbone routingSD-WAN tunnels/TLOCsLegendOMPSD-WAN CPEMPLSINETOMPSD-WAN CPEMPLSINETUS WestUS EastEuropeInter regionInter regionPEPEPEOMPPrivate onlyPublic onlyComplex

11、 control policies forregional meshComplex control policies forhorizontal scalingComplex network planning with route redistribution,route-tags&route trackers.etc.Complex control policies fordisjoint networksBRKENT-229210 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrans

12、form fromOMP/BGPredistributionSD-WAN CPEMPLSINETSD-WAN GWOMP/BGPredistributionSD-WAN CPEMPLSINETSD-WAN GWMiddle-mile backbone routingInter region connectivityCentralized vSmartsSD-WAN tunnels/TLOCsLegendBRKENT-229211 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBorder r

13、outersOMPBorder routersOMPCisco SD-WAN multi-region fabricSD-WAN evolved for any middle-mile topologyAutomatic hop-by-hopinter-region routingEliminate lengthy global network policiesScalable designSimpler redundancy planningFlexible architecture to caterto dynamic network needsOperationally easier t

14、odeploy and manageAccess region 1Cisco SD-WAN multi-region fabricAccess region 2Edge routersEdge routersSD-WAN CPESD-WAN CPEMPLSINETMPLSINETMSPEquinixAWSMegaportSD-WANTunnelsMiddle-mileGoogleCloudMicrosoftAzureInter region connectivityCore regionDistributed vSmartsBRKENT-229212 2023 Cisco and/or its

15、 affiliates.All rights reserved.Cisco Public#CiscoLiveMRF Key CapabilitiesUS regionEMEA regionCore regionSP/CSP/Private backboneIntuitive user-defined site grouping.E.g.based on geoFiner grouping using sub-regionsAuto restrict overlay tunnelsbetween regionsDifferent topologies per regionMix access t

16、ransportsacross regionsScale up control-planeper region(s)BR/regional hubER/branchBRKENT-229213Multi-Region FabricA Quick Look 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRegions and Roles Tunnels contained within regions potentially use smaller branch routers with low

17、er tunnel capabilities Flexibility and Scaling mesh/partial mesh/hub and spoke within a region Global reachability via multiple Border Routers in every Region R Region 1egion 1Branch SitesEdge Router(ER)Edge Router(ER)Colo/POPBorder Router(BR)Border Router(BR)R Region 0(core)egion 0(core)Middle Mile

18、Middle Mile Break down the network into groups,based on geo/nature of access needed at sites/nature of services needed by sites or other such parameters Regions Access and Core Core must be fully meshed(IP reachability)Roles Edge and BorderBRKENT-229215 2023 Cisco and/or its affiliates.All rights re

19、served.Cisco Public#CiscoLiveRoles Border RouterRegion 1(Access)Region 0(core)Region 2(Access)Configured with Region IDs in which they operate Provides inter-region connectivity by connecting regional overlay to a common core or backbone overlay Platform cEdge only(HW or VNF)Border Router Configured

20、 with Region IDs in which they operate Default role Platform:cEdge or vEdge Use Border Routers as next hop for inter region prefixesEdge RouterBRKENT-229216 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTopology IP Forwarding 2-Layer Architecture SDWAN tunnels limited to

21、 regions Hop by Hop tunnels Decrypt/Encrypt on all nodes along the path IP Lookup and Forwarding per node Requires Service VPN on intermediate nodes(Border Routers)Mix of encapsulation is possible GRE in core/accessExample:IPsec on access region and GRE on coreRegion 1(Access)Region 0(core)Region 2(

22、Access)BRKENT-229217 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDistributed vSmartsregion1region0SITE61SITE61CoreBR1BR2region2BR3SITE63SITE63vSmarts-Region 0vSmarts -Region 1vSmarts -Region 2 vSmart controllers become regional No full mesh between region vSmarts vSmar

23、t for region0 cannot be shared with any access region Edge Routers connected to region vSmarts Border Routers connected to Region 0 vSmarts and Access Region vSmarts Allow for reasonably horizontal growth in number of edge routers and mitigate the path scale requirementsBRKENT-229218 2023 Cisco and/

24、or its affiliates.All rights reserved.Cisco Public#CiscoLivevSmart Scaling based on RegionsNumber of prefixes inReplicated to devices connected to region vSmartsFlatFlatPer region vSmartPer region vSmart All devices connected Rib-out replicate prefixes to all routers Lower number of devices connecte

25、d per region,per vSmart Lower number of next-hops/paths per prefix per VPNBRKENT-229219 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDistributed vSmartsregion1region0SITE61SITE61CoreBR1BR2region2BR3SITE63SITE63vSmarts-Region 0vSmarts -Region 1 2 Same vSmart can serve mu

26、ltiple access regions vSmart for region0 cannot be shared with any access region Avoid vSmarts with some partial overlapping regions-vs1:1,2,3,vs2:1,2,4BRKENT-229220 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Validator remains globalvSmarts are configured with R

27、egion IDsvSmarts register with Cisco ValidatorCisco Validator is aware of list of vSmart instances that are responsible for a given region(s).Cisco Validator responds to ER/BR Register requests with list of vSmarts that is filtered by match of Region ID between ER/BR and the vSmarts.Edge routers and

28、 border routers peer only with vSmartcontrollers in their matching regionEdge RouterThe Edge router requests Cisco Validator about vSmarts that are in the region-id across all its TLOCs Cisco Validator responds to the edge with only the filtered list of vSmarts.Access ProviderSDWANRegion1Access Prov

29、iderSDWANRegion2vSmart1vSmart1region1vSmart2vSmart2region2region1region2regionregionvSmartvSmart1vSmart12vSmart2vSmart1vSmart2Cisco ValidatorCisco ValidatorEdge RoutersEdge RoutersEdge RoutersEdge RoutersBorderBorderRoutersRoutersBorderBorderRoutersRoutersBRKENT-229221 2023 Cisco and/or its affiliat

30、es.All rights reserved.Cisco PublicBRKENT-229221 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouting in Multi-Region FabricPrefix P1Prefix P1E1E1RID 1RID 1BR2BR2RID 1&0RID 1&0E2E2RID 1RID 1BR3BR3RID 0&2RID 0&2BR4BR4RID 0&2RID 0&2E3E3RID 2RID 2E4E4RID 2RID 2BR1BR1RID 1&

31、0RID 1&0PrefixPrefixNHNHPathPathP1E32PrefixPrefixNHNHpathpathP1BR40 2PrefixPrefixNHNHPathPathP1BR21 0 2 OMP and vSmart:region aware Border routers:vRoute re-origination from one region to anotherOMP captures Region pathRe-originated routes are withdrawn if the connectivity goes downBRKENT-265122Desi

32、gn considerations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat does your SD-WAN network look like today?SD-WANFabricSD-WANFabricSD-WANFabricSD-WANFabricMPLS|DCI|SD-WANMid-mile/BackboneFlat&Centralized ArchitectureHierarchical&Semi-centralized ArchitectureBRKENT-265

33、124 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration ConsiderationsCostSecurity and compliance needsScalability needsCloud connectivity requirementsTraffic patternsExisting and futureReliability and redundancy needsNetwork topologyPhysical and logical layoutInsigh

34、ts into application needs,minimum latency requirementsBRKENT-265125 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBefore the migrationKey design considerationsIdentify/update criteria for grouping devices and number of groups neededGeographyFunctionDefine number of group

35、s(access-regions)neededMap branch sites to groupsIdentify regional aggregation sites for deploymentLeverage existing sites or new sites required?On-prem(HW/CoLo)v.virtual(SDCI/cloud/SP hosted)Nature of services/connectivity neededTypes of applicationsIdentify WAN transportsFor access-regionsFor core

36、-regionDCI/private backboneSDCICSP backboneSP backboneRe-use existing WAN transportsBRKENT-265126 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBefore the migrationKey design considerationsUnderstand intra-region and inter-region traffic patterns and future intentNetwork

37、 scale at day1 v.at day NDistributed vSmartsFor access-regionsFor core-regionCloud-hostedOn-premSoftware VersionsFor controllersFor Edges20.9/17.9 or later recommendedBRKENT-265127 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration ChecklistPlanningPlanningPreparati

38、onPreparationTestingTestingMigrationMigrationMonitoring&Monitoring&MaintenanceMaintenanceCurrent network usage,capacity planning at regional hubs(BRs),desired network topologyAssess SW and HW needs e.g.higher capacity regional hubs,additional controllers,cloud integration requirements,SaaS/DIA needs

39、 Ensure the new architecture meets application requirements,security/compliance needs,performance needs.Consider test cases applicable to the network being in migration state.Leverage learnings from this session.Adapt migration strategy based on your current network state.Schedule maintenance window

40、s to avoid/minimize impact to users.Update operations/NOC tools to monitor multi-hop MRF network,train support teams.BRKENT-265128Migration Steps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Migration Mode?Aids with migration to MRFApplied on Edge(branch)and Bor

41、der(hub)routers onlyMinimizes downtimeKeeps existing fabric intact during migrationExisting control policies remain intactKeeps edge routers connectivity intact existing vSmarts(default region/non-migrated vSmarts)SDWAN BFD tunnels to non-migrated sites remain intactCommunication from migrated to no

42、n-migrated sites is not affectedBRKENT-265130 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSupported Network Types for brownfield migrationOMP based Core31BRKENT-2651ER11ER11LondonLondonHUB3HUB3HUB4HUB4ER21ER21ParisParisHUB1HUB1OMP CoreT1T2VS1VS1VS2VS2SDWAN tunnelsNon M

43、RFHUB2HUB2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSupported Network Types for brownfield migrationBGP based Core*BGP based Core*32BRKENT-2651ER11ER11LondonLondonHUB3HUB3HUB4HUB4ER21ER21ParisParisHUB1HUB1BGP CoreT1T2VS1VS1VS2VS2BGP on Service VPNNon MRFHUB2HUB2OMP.

44、BGPOMP.BGPBGP.OMPBGP.OMP*Starting 20.9.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration Steps High LevelEnable migration-mode on all SD-WAN routersConfigure region,role and core TLOCs on BRsConfigure region on ERsAllocate vSmarts for core and access regionsBRKEN

45、T-265133Migration Steps OMP Core 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePre-Migration StateER11ER11LondonLondonBR2BR2BR3BR3BR4BR4ER21ER21ParisParisBR1BR1T1T2VS1VS1VS2VS2SDWAN tunnelsNon MRFDevices not operating in MRF modeTopology built with Control Plane Policies

46、SDWAN Tunnels form an OMP coreDevices connected to centralized vSmarts(Default Region)HUB/Border RoutersEdge RoutersControl ConnectionsBRKENT-265135 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivevSmart ConnectionER11#sh sdwan OMP peer region-idR-routes receivedI-routes i

47、nstalledS-routes sentTENANT DOMAIN OVERLAY SITE REGIONID PEER TYPE ID ID ID ID STATE UPTIME R/I/S-0 10.0.0.30vsmart1 1 100 Noneup 0:00:00:32 0/0/2ER11#Routers connectedto default region vSmartER21#sh sdwan OMP peer region-idR-routes receivedI-routes installedS-routes sentTENANT DOMAIN OVERLAY SITE R

48、EGIONID PEER TYPE ID ID ID ID STATE UPTIME R/I/S-0 10.0.0.30vsmart1 1 100 Noneup 0:00:00:22 0/0/2ER21#For ReferenceBRKENT-265136 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveER11ER11LondonLondonBR2BR2BR3BR3BR4BR4ER21ER21ParisParisBR1BR1region 2T1T2ER11 Routing TableER11

49、 Routing TableP1VS1VS1VS2VS2PrefixPrefixNHNHPathPathFromFromP1T1T2-VS1,VS2T3Non MRFSDWAN tunnelsPre-Migration State RoutesPrefixes advertised from SDWAN routers to centralized vSmartPrefixes/next-hop reflected to all devices in the overlayIn this example,topology is built using advanced Control Plan

50、e Policies.Prefix P1 next-hop is statically changed from T3 to T1/T2HUB/Border RoutersEdge RoutersControl ConnectionsBRKENT-265137 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRegion1 Branches All ColorsRegion1 Gateways All ColorsDefault-rejectTLOCs-Outbound Advertiseme

51、ntsRegion1 Branch Sites Original TLOCRegion1 GW Sites-Original TLOCRegion2 branches Region2 branches Region1 GW TLOC Region1 GW TLOC(mplsmpls/inetinet)Default-RejectROUTES-Outbound AdvertisementsRegion1 Branches All ColorsRegion1 Gateways All ColorsRegion2 Gateways Region2 Gateways private6 colorpri

52、vate6 colorDefault-rejectTLOCs-Outbound AdvertisementsRegion1 Branch Sites Original TLOCRegion1 GW Sites Original TLOCRegion2 branches Region2 branches Region2 GW TLOC Region2 GW TLOC(private6)(private6)Region3 branches Region3 GW TLOC(private6)etc Default RejectROUTES Outbound AdvertisementsRegion1

53、 Branch SitesRegion1 Branch SitesRegion1 GW SitesRegion1 GW SitesNo automatic configuration of RegionAdvanced Control Plane Policies requires admin to know technical details of TLOCs,Routes and GWLogical Control Policy(OMP Core)BRKENT-265138 2023 Cisco and/or its affiliates.All rights reserved.Cisco

54、 Public#CiscoLivepolicyliststloc-list BR1_CORE_TLOCtloc 175.1.11.10 color green encap ipsec!tloc-list BR1_TLOCStloc 175.1.11.10 color lteencap ipsectloc 175.1.11.10 color 3g encap ipsectloc 175.1.11.10 color red encap ipsectloc 175.1.11.10 color green encap ipsec!tloc-list BR2_CORE_TLOCtloc 175.2.13

55、.10 color green encap ipsec!tloc-list BR2_TLOCStloc 175.2.13.10 color lteencap ipsectloc 175.2.13.10 color 3g encap ipsectloc 175.2.13.10 color green encap ipsec!site-list AR1site-id 1100site-id 1300!site-list AR1_BR1site-id 1100site-id 11100site-id 1300!site-list AR1_BR2site-id 1100site-id 1300site

56、-id 22100!site-list AR2site-id 2100!site-list BR1site-id 11100!site-list BR1_AR2site-id 11100site-id 2100!site-list BR1_BR2site-id 11100site-id 22100!site-list BR1_BR2_AR1site-id 1100site-id 11100site-id 1300site-id 22100!site-list BR1_BR2_AR2site-id 11100site-id 2100site-id 22100!site-list BR2site-

57、id 22100!site-list BR2_AR2site-id 2100site-id 22100!control-policy CP1sequence 1match tlocsite-list AR1_BR1!action accept!sequence 2match routesite-list BR1_BR2_AR2!action acceptsettloc-list BR1_TLOCS!sequence 3match routesite-list AR1!action accept!default-action reject!control-policy CP2sequence 1

58、match tlocsite-list AR1_BR2!action accept!sequence 2match routesite-list AR1!action accept!sequence 3match routesite-list BR2_AR2!action acceptsettloc-list BR2_CORE_TLOC!default-action reject!control-policy CP3sequence 1match tlocsite-list BR1_AR2!action accept!sequence 2match routesite-list AR2!act

59、ion accept!sequence 3match routesite-list AR1_BR1!action acceptsettloc-list BR1_CORE_TLOC!default-action reject!control-policy CP4sequence 1match tlocsite-list BR2_AR2!action accept!sequence 2match routesite-list BR1_BR2_AR1!action acceptsettloc-list BR2_TLOCS!sequence 3match routesite-list AR2!acti

60、on accept!default-action reject!apply-policysite-list AR1control-policy CP1 out!site-list AR2control-policy CP4 out!site-list BR1control-policy CP2 out!site-list BR2control-policy CP3 out!Central policyPre-migration configurationFor ReferenceBRKENT-265139 2023 Cisco and/or its affiliates.All rights

61、reserved.Cisco Public#CiscoLiveStep 1:Enable MRF in Cisco ManagerER11ER11LondonLondonBR2BR2BR3BR3BR4BR4ER21ER21ParisParisBR1BR1VS1VS1VS2VS2T1T2Enable MRF under Admin Admin SettingsSettingsNon MRFEnable MRF in Cisco Manager Settings.This will display MRF parameters like region,roles in device templat

62、esNo change on devicesSDWAN tunnelsHUB/Border RoutersEdge RoutersControl ConnectionsBRKENT-265140 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 2:Configure Regions in Network Hierarchy Manager(NHM)BRKENT-265141 2023 Cisco and/or its affiliates.All rights reserved.Ci

63、sco Public#CiscoLiveStep 3:Enable Migration Mode on BR and EROn BRs and ERsOn BRs and ERssystemmulti-region-fabricmigration-mode enabledER11ER11LondonLondonBR2BR2BR3BR3BR4BR4ER21ER21ParisParisBR1BR1T1T2VS1VS1VS2VS2Border RoutersEdge RoutersControl ConnectionsBorder Router and Edge Router system feat

64、ure templatesUnder system-enable migrationenable migration-modemode enabledenabledThere will be no impact on any communication after user configures migration modeSDWAN tunnelsBRKENT-265142 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 3:Enable Migration Mode on BR

65、and ERBRKENT-265143 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 4:Add Regional vSmartsER11ER11LondonLondonBR2BR2BR3BR3BR4BR4ER21ER21ParisParisBR1BR1region 1region 2region 0VS1VS1VS2VS2T1T2VS11VS11VS12VS12VS21VS21VS22VS22VS3VS3VS4VS4vSmartssystemhost-name VS3system

66、-ip1.1.0.5site-id 1region 0systemhost-name VS11system-ip1.1.1.5site-id 10region 1systemhost-name VS21system-ip1.1.2.5site-id 20region 2Add additional vSmarts for coreAdd vSmarts for access regions depending on network sizingDefault vSmarts remain intact(for migration period;can be re-purposed later)

67、Access region vSmart can be sharedConfigure appropriate regions on vSmartsSDWAN tunnelsHUB/Border RoutersEdge RoutersControl ConnectionsBRKENT-265144 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDistributed vSmart sharing ExamplesvSmartvSmart Deployment cases in Regions

68、Deployment cases in RegionsSupportedSupported?Why?Why?vSmart Pair A,Region#vSmart Pair B,Region#1,21,2YvSmarts can be shared across same set of regions.01,2YvSmart for region 0 is separate from vSmartserving access-regions.A and B will not peer.1,23,4YvSmarts serving different access regions.A and B

69、 will not peer.1,2,31,2,4NvSmarts have some partial overlapping regions0,10,1NRegion 0 cant be shared with access region vSmarts0,1,21,2,3N Region 0 cant be shared with access region vSmarts Both vSmarts have some partial overlapping regionsFor referenceBRKENT-265145 2023 Cisco and/or its affiliates

70、.All rights reserved.Cisco Public#CiscoLiveBRxsystemregion 1region 1role borderrole border-routerroutermulti-region-fabricmigration-mode enabled!sdwaninterface GigabitEthernet1tunnel-interfaceregion coreregion corecolor private6!interface GigabitEthernet2tunnel-interfacecolor biz-internet!Configure

71、Transport interface to the coreAll transport interfaces in Access RegionER11ER11LondonLondonBR2BR2BR3BR3BR4BR4ER21ER21ParisParisBR1BR1T1T2VS1VS1VS2VS2VS11VS11VS12VS12VS21VS21VS22VS22VS3VS3VS4VS4region 1region 2region 0region 1region 2Step 5:Configure MRF config on BRsEnabling BR and assigning region

72、Core region BR now are ready toInterconnect the access-reg to the core and vice-versa(re-origination)Interconnect existing/non-migrated sites to migrated sitesOptional-core sharedSDWAN tunnelsBRKENT-265146 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 5:MRF configur

73、ations on BRsBRKENT-265147 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 5:MRF config on BRsrole/regionBRKENT-265148 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBorder Routers connect to new region vSmartsER11ER11LondonLondonBR2BR2BR3B

74、R3BR4BR4ER21ER21ParisParisBR1BR1region 0T1T2VS1VS1VS2VS2VS11VS11VS12VS12VS21VS21VS22VS22VS3VS3VS4VS4Border RoutersEdge RoutersControl ConnectionsRegional Control Connectionsregion 1region 2region 1region 2region 0Config change pushed to all BR devicesBorder Routers connect to access and core region

75、vSmart but keep existing connections to default region vSmartsPrefixes still advertised from old centralized vSmarts VS1/VS2BRKENT-265149 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 6a:Migrate Edge Routers in Region 1(London)ER11ER11LondonLondonBR2BR2BR3BR3BR4BR4E

76、R21ER21ParisParisBR1BR1region 1region 0T1T2VS1VS1VS2VS2VS11VS11VS12VS12VS21VS21VS22VS22VS3VS3VS4VS4ERERsystemregion 1region 1role edgerole edge-routerroutermulti-region-fabricmigration-mode enabledConfig change pushed to devices in region1Configure secondary region(if required)Devices in region1 con

77、nect to region 1 vSmart but keep existing connections to old vSmartsBorder RoutersEdge RoutersControl ConnectionsRegional Control ConnectionsBRKENT-265150 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 6:Migrate Edge Routers in Region1BRKENT-265151 2023 Cisco and/or

78、its affiliates.All rights reserved.Cisco Public#CiscoLiveRegion 1 ER11(London)ER11#sh sdwan OMP peer region-idR-routes receivedI-routes installedS-routes sentTENANT DOMAIN OVERLAY SITE REGIONID PEER TYPE ID ID ID ID STATE UPTIME R/I/S-0 10.0.0.22vsmart1 1 100 1up 0:00:00:22 24/12/40 10.0.0.30 vsmart

79、1 1 100 None up 0:00:00:18 2/1/4ER11#ER11 migrated to MRF with migration-mode enabledConnected to both region-aware vSmart and old vSmartVerify connectivity between both regions edges For ReferenceBRKENT-265152 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRegion 2 ER21(

80、Paris)still not migratedER21#sh sdwan OMP peer region-idR-routes receivedI-routes installedS-routes sentTENANT DOMAIN OVERLAY SITE REGIONID PEER TYPE ID ID ID ID STATE UPTIME R/I/S-0 10.0.0.30vsmart1 1 100 Noneup 0:00:00:22 0/0/2ER21#ER21 not migrated to MRFConnected to old vSmartAdvertises routes t

81、o old vSmartFor ReferenceBRKENT-265153 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRegion 1 London(ER11)-OMP RouteER11#sh sdwan OMP route 10.10.10.105/32Code:C -chosenI -installedRed-redistributedRej-rejectedL -loopedR -resolvedS -staleExt-extranetInv-invalidStg-staged

82、IA -On-demand inactiveU -TLOC unresolvedBR-R-border-router reoriginatedTGW-R-transport-gateway reoriginatedAFFINITYPATH ATTRIBUTE GROUPTENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH-0 10 10.10.10.105/32 10.0.0.30 1 1002 C,I,R installed 10

83、.0.0.105 mplsipsec-None None -10.0.0.30 2 1002 R installed 10.0.0.105 biz-internet ipsec-None None -ER11#P110.10.10.105Region2 not migrated-P1 prefix still advertised to/from old vSmarts VS1/VS2 ER11 learns ER21 route from old vSmartPrefixPrefixNHNHPathPathFromFromP1T1T2-VS1,VS2Routing TableRouting

84、TableER21ER21ER11ER11MRF FabricFor ReferenceBRKENT-265154 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveER11ER11LondonLondonBR2BR2BR3BR3BR4BR4ER21ER21ParisParisBR1BR1region 1region 2region 0PrefixPrefixNHNHPathPathFromFromP1T1T21 0 2VS11 VS12(C,I,R)P1T1T2NoneVS1 VS2Londo

85、n Routing TableLondon Routing TableT1T2P1VS1VS1VS2VS2VS11VS11VS12VS12VS21VS21VS22VS22VS3VS3VS4VS4OMP will prefer region aware route vs route from default regionStep 6b Migrate Edge Routers in Paris(Region2)Devices in region2 connect to access region2 vSmart but keep existing connections to default v

86、Smarts P1 advertised to old vSmarts and new region vSmarts VS21-VS22 ER11 receives P1 prefix from VS11-VS12 through BR re-origination and also from VS1-VS2BRKENT-265155 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveER21#sh sdwan OMP peer region-idR-routes receivedI-route

87、s installedS-routes sentTENANT DOMAIN OVERLAY SITE REGIONID PEER TYPE ID ID ID ID STATE UPTIME R/I/S-0 10.0.0.23vsmart1 1 100 2up 0:00:00:05 28/14/20 10.0.0.30 vsmart1 1 100 None up 0:00:00:05 4/0/2ER21#ER21 now migrated to MRF with migration-mode enabledConnected to both region vSmart and old vSmar

88、tAdvertises route to both vSmart(region-aware and current/default)For ReferenceRegion 2 ER21(Paris)BRKENT-265156 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRegion 2 ER21ER11#sh sdwan OMP route 10.10.10.105/32Code:C -chosenI -installedRed-redistributedRej-rejectedL -lo

89、opedR -resolvedS -staleExt-extranetInv-invalidStg-stagedIA -On-demand inactiveU -TLOC unresolvedBR-R-border-router reoriginatedTGW-R-transport-gateway reoriginatedAFFINITYPATH ATTRIBUTE GROUPTENANT VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE NUMBER REGION ID REGION PATH-

90、0 10 10.10.10.105/32 10.0.0.229 1003 C,I,R installed 10.0.0.61 biz-internet ipsec-None 1 1 0 210.0.0.30 10 1003 R installed 10.0.0.61 biz-internet ipsec-None None -ER11#P110.10.10.105ER11 now learns route from region vSmart with Region path is 1 0 2For ReferenceBRKENT-265157 2023 Cisco and/or its af

91、filiates.All rights reserved.Cisco Public#CiscoLiveWrap-up:Clean-up ConfigsRemove Remove MigrationMigration Mode from Mode from the BRs the BRs Remove Remove MigrationMigration Mode Mode configs from the configs from the ERs.ERs.Decommission Decommission ororReRe-purpose the purpose the Default Regi

92、on Default Region vSmartvSmart.DeDe-activate activate hophop-byby-hop hop centralized policies centralized policies ER11ER11LondonLondonBR2BR2BR3BR3BR4BR4ER21ER21ParisParisBR1BR1region 1region 2region 0T1T2P1VS1VS1VS2VS2VS11VS11VS12VS12VS21VS21VS22VS22VS3VS3VS4VS4BRKENT-265158 2023 Cisco and/or its

93、affiliates.All rights reserved.Cisco Public#CiscoLiveImportantPay close attention to your pre-MRF control policies and their intentUpdate control policies during the course of migration to avoid blocking routes/TLOCs originated by BordersTest out your migration plan with production configs in your l

94、abBRKENT-265159Migration StepsBGP Core 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSample TopologyHUB2HUB2HUB1HUB1VS1VS1Before MigrationBefore MigrationER1ER1LondonLondonER2ER2ParisParisBGPBGPService VPNService VPNBGP CoreBGP CoreOMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMP-BGPBGP

95、BGPBGP-OMPOMPOMPOMPOMPOMPDefault Region Default Region vSmartvSmartBGPBGPService VPNService VPNPrefix:P1Prefix:P1Service Service VPN:xVPN:xPrefix:P2Prefix:P2Service VPN:xService VPN:xOMP Peer(Control Connections)OMP Peer(Control Connections)TLOC Connection(BFD session)TLOC Connection(BFD session)BGP

96、 SessionBGP SessionPEPEinetinetT1T2T2T1T1T2Internet TLOCInternet TLOCMPLS TLOCMPLS TLOCBGP-based coreOMPBGP redistributionControl policy to route trafficBRKENT-265161 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRegion1 Branches All ColorsRegion1 Gateways All ColorsDefa

97、ult-rejectTLOCs-Outbound AdvertisementsRegion1 Branch Sites Original TLOCRegion1 GW Sites-Original TLOCRegion2 branches Region2 branches Region1 GW TLOC Region1 GW TLOC(mplsmpls/inetinet)Default-RejectROUTES-Outbound AdvertisementsRegion1 Branches All ColorsRegion1 Gateways All ColorsDefault-rejectT

98、LOCs-Outbound AdvertisementsRegion1 Branch Sites Original TLOCRegion1 GW Sites Original TLOC etc Default RejectROUTES Outbound AdvertisementsRegion1 Branch SitesRegion1 Branch SitesRegion1 GW SitesRegion1 GW SitesNo automatic configuration of RegionAdvanced Control Plane Policies requires admin to k

99、now technical details of TLOCs,Routes and GWLogical Control Policy(BGP Core)BRKENT-265162 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSample Policy with 2 regionspolicyliststloc-list BR1_CORE_TLOCtloc 175.1.11.10 color green encapipsec!tloc-list BR1_TLOCStloc 175.1.11.

100、10 color lte encap ipsectloc 175.1.11.10 color 3g encap ipsectloc 175.1.11.10 color red encap ipsec!tloc-list BR2_CORE_TLOCtloc 175.2.13.10 color green encapipsec!tloc-list BR2_TLOCStloc 175.2.13.10 color lte encap ipsectloc 175.2.13.10 color 3g encap ipsec!site-list AR1site-id 1100site-id 1300!site

101、-list AR1_BR1site-id 1100site-id 11100site-id 1300!site-list AR1_BR2site-id 1100site-id 1300site-id 22100!site-list AR2site-id 2100!site-list BR1site-id 11100!site-list BR1_AR2site-id 11100site-id 2100!site-list BR1_BR2site-id 11100site-id 22100!site-list BR1_BR2_AR1site-id 1100site-id 11100site-id

102、1300site-id 22100!site-list BR1_BR2_AR2site-id 11100site-id 2100site-id 22100!site-list BR2site-id 22100!site-list BR2_AR2site-id 2100site-id 22100!control-policy CP1sequence 1match tlocsite-list AR1_BR1!action accept!sequence 2match routesite-list BR2_AR2!action acceptsettloc-list BR1_TLOCS!sequenc

103、e 3match routesite-list AR1_BR1!action accept!default-action reject!control-policy CP4sequence 1match tlocsite-list BR2_AR2!action accept!sequence 2match routesite-list AR1_BR1!action acceptsettloc-list BR2_TLOCS!sequence 3match routesite-list BR2_AR2!action accept!default-action reject!apply-policy

104、site-list AR1control-policy CP1 out!site-list AR2control-policy CP4 out!site-list BR1control-policy CP2 out!site-list BR2control-policy CP3 out!control-policy CP2sequence 1match tlocsite-list AR1_BR1!action accept!sequence 2match routesite-list AR1_BR1!action accept!default-action reject!control-pol

105、icy CP3sequence 1match tlocsite-list BR2_AR2!action accept!sequence 2match routesite-list BR2_AR2!action accept!default-action reject!For referenceBRKENT-265163 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBR2BR2BR1BR1Region 1Region 2VSVS-1 1Post MigrationPost Migration

106、ER1ER1LondonLondonER2ER2ParisParisOMPOMPMRF Region Core 0MRF Region Core 0ReRe-origorigOMPOMPOMPOMPCore Region Core Region vSmartvSmart(Region 0)(Region 0)Prefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xVSVS-1212Shared Shared vSmartvSmart(Region 1)(Region 1)VS

107、VS-1212Shared Shared vSmartvSmart(Region 2)(Region 2)OMP Peer(Control Connections)OMP Peer(Control Connections)TLOC Connection(BFD session)TLOC Connection(BFD session)VSVS-2 2ReRe-origorigReRe-origorigReRe-origorigSample TopologyT1T2T2T1T1T2Internet TLOCInternet TLOCMPLS TLOCMPLS TLOCBRKENT-265164 2

108、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHUB2HUB2HUB1HUB1VS1VS1(Default Region(Default Region vSmartvSmart)Non MRFHUB/Border RoutersEdge RoutersControl ConnectionsER1ER1LondonLondonER2ER2ParisParisStep 1a Enable MRF in Cisco Manager SettingsEnable MRF in Cisco Manage

109、r Settings.This will display MRF parameters like region,roles in configuration templatesNo config changes propagated to devices,yetBRKENT-265165 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 2:Configure Regions in Network Hierarchy Manager(NHM)BRKENT-265166 2023 Cis

110、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBR2BR2BR1BR1VS1VS1ER1ER1LondonLondonER2ER2ParisParisBGPBGPService VPNService VPNBGP CoreBGP CoreOMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMPOMPOMPDefault Region Default Region vSmartvSmartBGPBGPService VPNService VPNPre

111、fix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xOMP Peer(Control Connections)OMP Peer(Control Connections)TLOC Connection(BFD session)TLOC Connection(BFD session)BGP SessionBGP SessionPEPEOn ERsOn ERssystemmultimulti-regionregion-fabricfabricmigrationmigration-mo

112、de enabledmode enabledNo change to OMP peeringStep3:Enable Migration Mode on all BranchesBRKENT-265167 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep3:Provisions vSmarts for Core and Access RegionsHUB2HUB2HUB1HUB1VS1VS1ER1ER1LondonLondonER2ER2ParisParisBGPBGPService

113、VPNService VPNBGP CoreBGP CoreOMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMPOMPOMPDefault region Default region vSmartvSmartBGPBGPService VPNService VPNPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xVSVS2 2PEPERegion 0Region 0VS12VS12-Region 1(sha

114、red)Region 1(shared)VS12VS12-Region 2(shared)Region 2(shared)Recommended:Add new vSmartsOMP Peer(Control Connections)OMP Peer(Control Connections)TLOC Connection(BFD session)TLOC Connection(BFD session)BGP SessionBGP SessionBRKENT-265168 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

115、lic#CiscoLiveStep4:We will now start using Migration Community XBR2BR2BR1BR1VS1VS1ER1ER1LondonLondonER2ER2ParisParisBGPBGPService VPNService VPNBGP CoreBGP CoreOMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMPOMPOMPDefault Default vSmartvSmartBGPBGPService VPNService VPNPrefix:P1Prefix:P1Se

116、rvice VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xVSVS2 2PEPERegion 0Region 0VS12VS12-Region 1Region 1VS12VS12-Region 2Region 2Unique in the networkRange:1-4294967295OMP Peer(Control Connections)OMP Peer(Control Connections)TLOC Connection(BFD session)TLOC Connection(BFD session)BG

117、P SessionBGP SessionBRKENT-265169 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat can go wrong without using Mig Comm?BR2BR2BR1BR1VS1VS1ER1ER1LondonLondonER2ER2ParisParisBGPBGPService VPN(old core)Service VPN(old core)OMP Core(region 0)OMP Core(region 0)OMPOMPOMPOMPDe

118、fault vSmartDefault vSmartPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xVSVS2 2Region 0Region 0VS12VS12-Region 1Region 1VS12VS12-Region 2Region 2BR2 will start advertising routes from London as self-originatedRegion-aware OMP routes are preferred over defaul

119、t region OMP routesBR1 will now start forwarding traffic to BR2 to reach ER1 prefix P1Same will happen for Prefix P2,originating from ER2 BRKENT-265170P1P1-BR2 0BR2 0P1P1-BR2 0BR2 0P1P1-ER1ER1BGP:P1BGP:P1-BR1BR1XLoops 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep5:S

120、et Migration Community between BGP neighbors on BRs and PEsBR2BR2BR1BR1VS1VS1ER1ER1LondonLondonER2ER2ParisParisBGPBGPService VPNService VPNBGP CoreBGP CoreOMPOMPOMPOMPDefault Default vSmartvSmartBGPBGPService VPNService VPNPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xSe

121、rvice VPN xVSVS2 2PEPERegion 0Region 0VS12VS12-Region 1Region 1VS12VS12-Region 2Region 2Comm:12Comm:12Comm:12Comm:12Ensures all routes in BGP core have community,even when locally originated from BR(example local services)PE-BR BGPBR-PE BGPAdditiveBoth BRsroute-map APPEND-MIG-COMM permit 1 set commu

122、nity 12 additiveset community 12 additiverouter BGP 2 address-family ipv4 vrfvrf 10 10 propagatepropagate-communitycommunityneighbor sendsend-community community neighbor routeroute-map APPENDmap APPEND-MIGMIG-COMM outCOMM outBRKENT-265171 2023 Cisco and/or its affiliates.All rights reserved.Cisco P

123、ublic#CiscoLiveStep6:Enable Migration Mode with Comm X on BR BR2BR2BR1BR1Region 1Region 2VS1VS1ER1ER1LondonLondonER2ER2ParisParisBGPBGPService VPNService VPNBGP CoreBGP CoreBGPBGP-OMPOMPOMPOMPOMPOMPDefault Default vSmartvSmartBGPBGPService VPNService VPNPrefix:P1Prefix:P1Service VPN xService VPN xPr

124、efix:P2Prefix:P2Service VPN xService VPN xVSVS2 2PEPERegion 0Region 0VS12VS12-Region 1Region 1VS12VS12-Region 2Region 2Comm:12Comm:12Comm:12Comm:12BRKENT-265172Assign RegionAssign RegionAssign RoleAssign RoleAssign migration mode to BGP with community numberAssign migration mode to BGP with communit

125、y numberAssign Core(Region 0 TLOC)Assign Core(Region 0 TLOC)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAny access region OMP routes learned from default region vSmart automatically gets tagged with Mig comm on BRs OMP when sending towards BGP(when BGP migration mode w

126、ith Migration community is configured)Migration Community is not propagated in the OMP CoreWe make sure that OMP core learned routes doesnt get re-advertised in BGP core to avoid loops(more on this later)Step6:Match MIG comm and redistribute OMP-BGPBR2BR2BR1BR1Region 1Region 2VS1VS1ER1ER1LondonLondo

127、nER2ER2ParisParisOMPOMP-BGPBGPOMPOMPOMPOMPDefault Default vSmartvSmartPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xVSVS2 2Region 0Region 0VS12VS12-Region 1Region 1VS12VS12-Region 2Region 2ip community-list standard MIG-COMM permit 1212route-map MATCHMATCH-M

128、IGMIG-COMMCOMM permit 1 match community MIGmatch community MIG-COMMCOMMrouter BGP 1 BGP neighbor remote-as 12 address-family ipv4 vrf 10 redistribute OMP routeredistribute OMP route-map MATCHmap MATCH-MIGMIG-COMMCOMMBRKENT-265173BGPBGPService VPN(old core)Service VPN(old core)OMP Core(region 0)OMP C

129、ore(region 0)XComm:12Comm:12No CommunityNo CommunityPEPE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBR2BR2BR1BR1Region 1Region 2VS1VS1ER1ER1LondonLondonER2ER2ParisParisOMPOMPOMPOMPDefault Default vSmartvSmartPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:

130、P2Service VPN xService VPN xVSVS2 2PEPERegion 0Region 0VS12VS12-Region 1Region 1VS12VS12-Region 2Region 2Comm:12Comm:12BR1:Route-map matching MIG X only gets sent during OMP to BGP redistributionAlso strips MIG 12 from re-origination in core region(region0)once it receives region-aware access routes

131、 i.e when ER1 joins region1BR1:Route-map on BGP neighbor towards PE ensures routes goes with MIG 12 including local BR service vpnroutesPE:Ensuring all routes goes tagged with MIG 12 to its neighbors BR1 and BR2BR1:Migration mode with MIG comm X ensures all route from access region when installed in

132、 BRs OMP gets tagged with MIG=12 when sending to old core(BGP)BR1:Core Tloc for core added for end-to-end OMP instead of BGP based routing e.g mpls colorStep6:So,what have we done so far from BR1 perspective?1-4 will be done on BR2 as well1235BRKENT-2651744BGPBGPService VPN(old core)Service VPN(old

133、core)OMP Core(region 0)OMP Core(region 0)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBR2BR2BR1BR1Region 1Region 2VS1VS1ER1ER1LondonLondonER2ER2ParisParisOMPOMPOMPOMPDefault Default vSmartvSmartPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xS

134、ervice VPN xVS12VS12-Region 1Region 1VS12VS12-Region 2Region 2BR2 receives routes from BGP(service vpn)with Comm=12,matches and blocks them going towards region 0 OMP core,during BGP to OMP redistribution(automatically in the code)Step6:Automatically breaking the loopXBRKENT-265175Region 0Region 0Co

135、mm:12Comm:12BGPBGPService VPN(old core)Service VPN(old core)OMP Core(region 0)OMP Core(region 0)VSVS2 2No communityNo community 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep7:Modify Control Policies on vSmart to add core TLOCsBR2BR2BR1BR1Region 1Region 2VS1VS1ER1ER1

136、LondonLondonER2ER2ParisParisService VPNService VPNBGP CoreBGP CoreOMPOMPOMPOMPDefault Default vSmartvSmartPrefix:P1Prefix:P1Service Service VPN xVPN xPrefix:P2Prefix:P2Service Service VPN xVPN xTLOC Connection(BFD session)TLOC Connection(BFD session)BGP SessionBGP SessionVSVS2 2PEPERegion 0Region 0V

137、S12VS12-Region 1Region 1VS12VS12-Region 2Region 2Comm:12Comm:12This is required as previously there was no SD-WAN tunnel between BRs and all connectivity was through BGP(service VPN)Similar policy for other BRs in this case BR2control-policy BGP-CORE-EUROPE-HUB-CPsequence 1match tlocsite-list EUROPE

138、-ALL-SITES!action accept!sequence 11match tlocsite-list AMER-HUBtloc-list AMER-HUB-CORE-TLOCS!action accept!sequence 21match routesite-list EUROPE-ALL-SITESprefix-list _AnyIpv4PrefixList!action accept!sequence 31match routesite-list AMER-HUBprefix-list _AnyIpv4PrefixList!action accept!default-action

139、 rejectOMP Core(region 0)OMP Core(region 0)BRKENT-265176Core TLOCs(Core TLOCs(vpnvpn 0)0)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep8:Now start Migrating Access Regions-on ERBR2BR2BR1BR1Region 1VS1VS1ER1ER1LondonLondonER2ER2ParisParisBGPBGPService VPNService VPNOM

140、P Core(region 0)OMP Core(region 0)OMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMPOMPOMPDefault Default vSmartvSmartBGPBGPService VPNService VPNPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xVSVS2 2PEPERegion 0Region 0VS12VS12-Region 1Region 1VS12VS

141、12-Region 2Region 2Comm:12Comm:12Comm:12Comm:12BGP CoreBGP CoreOMP Peer(Control Connections)OMP Peer(Control Connections)TLOC Connection(BFD session)TLOC Connection(BFD session)BGP SessionBGP SessionBRKENT-265177 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConvergence

142、during ER migrationBR2BR2BR1BR1VS1VS1ER1ER1LondonLondonER2ER2ParisParisOMP Core OMP Core(region 0)(region 0)OMPOMPOMPOMPDefault Default vSmartvSmartPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xVSVS2 2Region 0Region 0VS12VS12-Region 1Region 1VS12VS12-Region

143、2Region 2Now ER1 will also advertise route in region1 along with default region(as shown previously)BR1 will receive 2 copies of route,from default and region1 vSmart aware.(region aware installed)BR1 will send one copy to BGP with mig-x attached,other copy to region0-core without MIG xBR2 receives

144、route from BGP and OMP,OMP accepts region 0 route while forwarding wise still BGP is preferred.BR2 re-originates region aware route to region2Region 1Region 2BRKENT-265178BGP CoreBGP Core 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep8:Migrating Other Access Regions-

145、on ERBR2BR2BR1BR1VS1VS1ER1ER1LondonLondonER2ER2ParisParisOMP Core OMP Core(region 0)(region 0)OMPOMPOMPOMPDefault Default vSmartvSmartPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xVSVS2 2Region 0Region 0VS12VS12-Region 1Region 1VS12VS12-Region 2Region 2Regio

146、n 1Region 2BRKENT-265179BGP CoreBGP CoreNow both domains are fully converged Default and Region awareRegion-aware routes are preferred,and convergence is done at OMP level.Core still uses BGP for forwarding.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep8:Migrating Ot

147、her Access Regions-on ERBR2BR2BR1BR1VS1VS1ER1ER1LondonLondonER2ER2ParisParisOMP Core OMP Core(region 0)(region 0)OMPOMPOMPOMPDefault Default vSmartvSmartPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefix:P2Service VPN xService VPN xVSVS2 2Region 0Region 0VS12VS12-Region 1Region 1VS12VS12-Re

148、gion 2Region 2Region 1Region 2BRKENT-265180BGP CoreBGP CoreBR1:Route-map matching MIG X only gets sent during OMP to BGP redistribution,so here it blocks omp core route towards BGP core to avoid loopsXP2-BR2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCleanupBR2BR2BR1B

149、R1Region 1Region 2VS1VS1ER1ER1LondonLondonER2ER2ParisParisBGPBGPService VPNService VPNOMP Core(region 0)OMP Core(region 0)OMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMP-BGPBGPBGPBGP-OMPOMPOMPOMPOMPOMPDefault Default vSmartvSmartBGPBGPService VPNService VPNPrefix:P1Prefix:P1Service VPN xService VPN xPrefix:P2Prefi

150、x:P2Service VPN xService VPN xVSVS2 2PEPERegion 0Region 0VS12VS12-Region 1Region 1VS12VS12-Region 2Region 2Comm:12Comm:12Comm:12Comm:12BGP CoreBGP CoreRemove routeRemove route-map setting map setting MIGMIG-comm on comm on BGPBGP-BGPBGPRemove Remove Migration Migration Mode on BRMode on BRRemove OMP

151、Remove OMP-BGP BGP redistribution redistribution routeroute-mapmapRemove Remove Migration Migration mode from mode from branchesbranchesRemove/ReRemove/Re-purpose purpose Default Default vSmartsvSmartsDeDe-activate activate control policiescontrol policiesOMP Peer(Control Connections)OMP Peer(Contro

152、l Connections)TLOC Connection(BFD session)TLOC Connection(BFD session)BGP SessionBGP SessionBRKENT-265181 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveImportantCloud on Ramp(CoR)for Multi cloud and SDCI:For brownfield scenarios,leverage this migration sessions learnings

153、For new setups,CoR automation workflow is available in 20.10/17.10 but can be done manually in 17.9 as well.For SDCI Megaport case:Usually,we recommend full-mesh in core,but for Megaport,connectivity is p2p.So,consider cost/feasibility of deploying full-mesh in the core.BRKENT-265182 2023 Cisco and/

154、or its affiliates.All rights reserved.Cisco Public#CiscoLiveConclusionEliminate need for lengthy global network policiesAutomatic hop-by-hop inter-region routingScalable designSimpler redundancy planningFlexible architecture to cater to dynamic network needsOperationally easier to deploy and manageC

155、isco SD-WAN multi-region fabricMulti-Region Fabric is the core enabler for WAN architectures involving a middle-mileFor Managed Services SD-WANLarge Enterprise deployments using MSP/Cloud/SDCI backboneBrownfield migration capability available with August 22 release(20.9/17.9)!Try it out today on dcl

156、oud“Cisco SD-WAN POC Tool-Evolve from HSD-WAN to MRF v1”BRKENT-265183 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while

157、 supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKENT-265184 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue y

158、our educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights rese

159、rved.Cisco Public#CiscoLive87Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123487 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENT-2651#CiscoLive