將思科軟件安全訪問連接到外部世界.pdf

《將思科軟件安全訪問連接到外部世界.pdf》由會員分享，可在線閱讀，更多相關《將思科軟件安全訪問連接到外部世界.pdf（222頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveDevi BellamkondaTechnical Marketing Engineering,Technical LeaderBRKENS-2811Connecting Cisco SD-Access to External World 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat w

2、ith the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or

3、 its affiliates.All rights reserved.Cisco PublicBRKENS-28113#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgenda4Session ID 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn this Session.Expect to learn about new capabilities through use case

4、s.We will not be covering the basics of Cisco SD-Access and its various components.The scenarios discussed may not exactly match your challenges,but they can give you insights on how to approach them.BRKENS-28115 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExplore Idea

5、s with.6 Cisco Partners Cisco CX services Cisco SE or AM Cisco Communities Cisco Live meet the expert Cisco Live On-Demand LibraryBRKENS-28116 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKENS-28117 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis

6、coLiveFor Your Reference8The PDF contains lot more information“For your Reference”“For your Reference”BRKENS-28118 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLearning Maps by Technology TrackLearning MapsFor YourReferenceBRKENS-28119 2023 Cisco and/or its affiliates.A

7、ll rights reserved.Cisco PublicCustomer Challenges and Requirements BRKENS-281110 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicCustomer Challenges and Requirements Fabric ready UnderlayUnderlay for the fabric should be automatedConcurrent Underlay automation for sitesZero-Touch I

8、mage Management with device onboardingBRKENS-281111 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicCustomer Challenges and Requirements FirewallEnforcement on FirewallNetwork access for vendors at Convention CenterBRKENS-281112 2023 Cisco and/or its affiliates.All rights reserved.C

9、isco PublicCustomer Challenges and Requirements Critical ServicesSimplified Critical services access such as Shared Services and Internet with minimum configuration.BRKENS-281113 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicCustomer Challenges and Requirements Seamless Internet C

10、onnectivityConsistent Policy across Cisco SD-Access sites.No loss in Internet Connectivity(Active/Backup Internet).BRKENS-281114 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicCustomer Challenges and Requirements Branch and Regional LocationsCisco SD-WAN network is already deployed

11、.This SD-WAN network is used for between Branch locations and regional sites to communicate with the remainder of the network.Consistent policy must be used across the Campus and WAN.Maximize port usage on switches in the Branch locationsBRKENS-281115 2023 Cisco and/or its affiliates.All rights rese

12、rved.Cisco PublicCustomer Challenges and Requirements Fabric ready UnderlayUnderlay for the fabric should be automatedConcurrent Underlay automation for sitesZero-Touch Image Management with device onboardingFirewallEnforcement on Firewall.Network access for vendors at Convention CenterCritical Serv

13、icesSimplified Critical Services such as Shared Services and Internet with minimum configurationSeamless Internet ConnectivityConsistent Policy across Cisco SD-Access sites.No loss in Internet Connectivity(Active/Backup Internet).Branch and Regional LocationsCisco SD-WAN network is already deployed.

14、This SD-WAN network is used for between Branch locations and regional sites to communicate with the remainder of the network.Consistent policy must be used across the Campus and WAN.Maximize port usage on switches in the Branch locationsBRKENS-281116 2023 Cisco and/or its affiliates.All rights reser

15、ved.Cisco Public#CiscoLiveBRKENS-281117 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSmall BranchSmall BranchMigration Site 3HeadquartersMigration Site 1Migration Site 2Data CenterISECisco DNACenter DHCP,DNS,AD(Services)Migration Site 4BRKENS-281118 2023 Cisco and/or it

16、s affiliates.All rights reserved.Cisco Public#CiscoLiveSmall BranchSmall BranchMigration Site 3HeadquartersMigration Site 1Migration Site 2*WLCs for each site not shown Migration Site 4Data CenterISECisco DNACenter DHCP,DNS,AD(Services)Fabric UnderlayCritical ServicesFirewallConvention CenterSeamles

17、s InternetWANWANBRKENS-281119LAN Automation Enhancements 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration Site 2Migration Site 1Migration Site 3Layer 3 LinkLayer 2 LinkMigration Site 4BRKENS-281121 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#

18、CiscoLiveMigration Site 1Layer 3 SwitchFabric Network Infrastructure Underlay Infrastructure:LAN Automation Zero-Touch Image Management with device onboarding.Automated underlay buildout with validated best practice configuration.L3 routed access network with IS-IS routing protocol.Higher MTU to acc

19、ommodate VXLAN encapsulation(optional)enable Multicast option to support Broadcast,Unknown-Unicast and Link-local Multicast(BUM).Automated underlayTurnkey solution to dynamically discover,onboard and provision switches to simplify network operations.BRKENS-281122 2023 Cisco and/or its affiliates.All

20、 rights reserved.Cisco Public#CiscoLivePrimary DevicePeer DeviceSelectInterfaces Define Network SettingsNetwork-Network HierarchyDevice Credentials CLI,SNMP,HTTP(s)CredentialsIP Address Pools IP Pool to build underlay infrastructure Provision network devicesSelect Seed devices Primary/Peer Device an

21、d InterfacesStart LAN Automation Discover network devices,image management and assigned to site.Stop LAN Automation configure routed-accessIS-ISVLAN 1Fabric Network Infrastructure Cisco DNA Center User Guide,Release 2.3.5Cisco DNA Center SD-Access LAN Automation Deployment GuideDatacenterBRKENS-2811

22、23Underlay Infrastructure:LAN Automation Procedure 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration Site 1LAN Automation SeedLAN Automation SeedLAN Automation DiscoveredLAN Automation DiscoveredBRKENS-281124 2023 Cisco and/or its affiliates.All rights reserved.Cis

23、co Public#CiscoLiveMigration Site 1Fabric Network Infrastructure Underlay Infrastructure:After LAN AutomationBRKENS-281125 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveColocated Border NodeControl Plane NodeColocated Border NodeControl Plane NodeEdge NodeEdge NodeSD-Acc

24、ess Network(Migration Site 1)Fabric Network Infrastructure Underlay Infrastructure:Site after MigrationBRKENS-281126 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntermediate NodeIntermediate NodeSD-Access Network(Migration Site 1)Colocated Border NodeControl Plane Node

25、Colocated Border NodeControl Plane NodeEdge NodeEdge NodeFabric Network Infrastructure Underlay Infrastructure:Site after MigrationBRKENS-281127 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive L3 Routed Access Network Any routing protocol Resilient and Redundant fast-conv

26、erged connectivity with ECMP,BFD,NSF enabled.Loopback 0 with/32 host prefix.Higher MTU to accommodate VXLAN encapsulation Underlay multicast to optimize overlay subnet multicast/broadcast distributionFabric Network Infrastructure Robust Underlay Infrastructure deploymentManual UnderlayDevice-by-Devi

27、ce onboarding and configuration either manually or through Cisco DNA Center Plug-and-Play.Automated UnderlayTurnkey solution to onboard multiple switches withimage management and best-practices configuration.For YourReferenceBRKENS-281128 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

28、blic#CiscoLivePrimary DevicePeer DevicePrimary and Peer Device should be discovered and managed in Cisco DNA Center.Network Devices must be running DNA Advantage license.Redistribute IS-IS routing protocol into routing protocol used,ensuring the LAN Automation ip address pool has reachability to Cis

29、co DNA Center.LAN Automation IP Address Pool should be reserved as type LAN.LAN IP Address Pool is split into 3 sub-pool to reserve:Temporary DHCP Pool on the Primary Device.Configure Pt-to-Pt link subnet(/31 prefix)Configure Loopback 0 interface with host(/32)prefix addressIS-ISFabric Network Infra

30、structure Underlay Infrastructure:LAN Automation ConsiderationsFor YourReferenceBRKENS-281129 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric Network Infrastructure Underlay Infrastructure:LAN Automation AutomationLAN Automation LAN Automation has a new homeBRKENS-2

31、81130 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric Network Infrastructure Underlay Infrastructure:LAN Automation AutomationNew LAN Automation New LAN Automation Landing pageBRKENS-281131 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveF

32、or YourReferenceFabric Network Infrastructure Underlay Infrastructure:LAN Automation AutomationBRKENS-281132 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric Network Infrastructure Underlay Infrastructure:LAN Automation AutomationWe can have 5 simultaneous Lan automa

33、tion sessions with one session per site.BRKENS-281133 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive34 Simultaneous LAN Automation sessions is supported from Cisco DNA Center release 2.3.5.x 2.3.5.x.Simultaneous LAN Automation sessions:This feature will allow customers t

34、o initiate up to 5 multiple LAN Automation sessions with one session per site.Zero Touch onboarding of PNP ready switches at 5 different sites.Dedicated LAN Automation landing page with a new workflow to initiate LAN Automation.As part of LAN Automation enhancements,user can Add or Delete L3 links w

35、hich helps customers to better manage links through customization.Deleting is permitted on an existing link that have previously been configured by LAN Automation.Cisco DNA Center Cisco DNA Center Site 1Site 1SeedSeedSeedSeedSite 5Site 5SeedSeedSeedSeedFabric Network InfrastructureUnderlay Infrastru

36、cture:LAN Automation Enhancements BRKENS-281134 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSmall BranchSmall BranchMigration Site 3HeadquartersMigration Site 2SD-Access Network(Migration Site 1)Data CenterISECisco DNACenter DHCP,DNS,AD(Services)Migration Site 4Fabric

37、UnderlayCritical ServicesFirewallWANWANSeamless InternetConvention CenterBRKENS-281135 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProgress ChartBRKENS-281136Fabric Constructs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric ConstructsF

38、abric Sites A Closer LookFabric Sites are an independent fabric area with a unique set of network device.Contains Control Plane Nodes,Border Nodes,and Edge Nodes.Contains Fabric WLC and ISE Policy Service Node(PSN)The Border Node is the ingress and egress for the Fabric Site.May cover a single locat

39、ion,multiple locations,or a subset of a location(floor of a building)For YourReferenceBRKENS-281138 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive1.Management Plane with Cisco DNA Center2.Control Plane based on LISP3.Data Plane based on VXLAN4.Policy Plane based on Cisco

40、 Trustsec(CTS)Planes of OperationSD-Access FabricFor YourReferenceBRKENS-281139 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric Nodes use LISP as a control plane protocol for Endpoint Identifier(EID)and Routing locator(RLOC)information.Control Plane Node acts as a L

41、ISP Map-Server and LISP Map-Resolver for EID-to-RLOC mappingsEdge Nodes and Internal Border Node devices register EIDs to the Map Server.External Border Node acts as PXTR(LISP Proxy Tunnel Router)to provide a default gateway when no mapping exists.SD-Access FabricFor YourReferenceBRKENS-281140LISP C

42、ontrol Plane 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric Nodes use VXLAN as the data plane protocol which supports both Layer 2 and Layer 3 overlays.This because VXLAN encapsulation preservers the original Ethernet header.VXLAN header contains VNID(VXLAN Network

43、 Identifier)field which allows up to 16 million VNIs.VXLAN header also has Group Policy ID for Scalable Group Tags(SGTs)allowing 64,000 SGTs.SD-Access FabricFor YourReferenceBRKENS-281141VXLAN Data Plane 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access FabricSecur

44、ity Group Tags(SGT)are a logical construct based on the user and device context.ISE dynamically assign SGTs to the users and devices connecting to the network Fabric.Fabric Nodes add SGTs to the encapsulation of data communication between users and devices.Edge Nodes enforce the SG-ACL policies and

45、contracts for the SGTs they protect locally.For YourReferenceBRKENS-281142Cisco TrustSec Policy PlaneCisco SD-Access Borders 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKnown(Registered)Unknown(Unregistered)Cisco SD-Access BorderBorder Nodes A Closer LookKnown+Unknown(

46、Registered+Unregistered)There are three(3)ways to configure a Border Node.Rest of the Company(Internal-Only)Used for Known(registered)routes Outside World(External-Only)Used for Unknown(unregistered)routesAnywhere(Internal&External)Used to access Known and Unknown routes Registered and unregisteredF

47、or YourReferenceBRKENS-281144Internal Border 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInternal-Only Border NodeInternal-Only BorderConnects the Fabric to known(registered)networksRegistered networks generally include WAN,Data Center,Shared Services,etc.Advertises(ex

48、ports)Fabric prefixes to the external domainsImports external prefixes into Fabric Site and registers them with the Control Plane Node MAN|WANSD-Access TransitInternetData CenterShared ServicesFor YourReferenceBRKENS-281146External Border 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

49、blic#CiscoLiveSD-Access External BorderExternal-Only BorderFabric Gateway of Last ResortProvides a default egress point for the Fabric SiteConnects the Fabric to unknown(unregistered)networks Advertises(exports)fabric prefixes to the external domainsDoes not import external prefixes into Fabric Site

50、 Does not register prefixes with the Control Plane NodeBorder Nodes must have External functionality to connect to an SD-Access Transit.Remainder of the NetworkMAN|WANSD-Access TransitInternetData CenterShared ServicesFor YourReferenceBRKENS-281148Anywhere Border 2023 Cisco and/or its affiliates.All

51、 rights reserved.Cisco Public#CiscoLiveSD-Access Anywhere BorderMAN|WANSD-Access TransitShared ServicesInternetData CenterAnywhere BorderAdvertises(exports)Fabric prefixes to the external domainsProvides a default egress point for the Fabric SiteConnects to both known and unknown networksRegistered

52、and unregistered networks Imports external prefixes into Fabric Site and registers them with the Control Plane NodeAs a Border Node with External functionality,it can connect to an SD-Access Transit.For YourReferenceBRKENS-281150 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc

53、oLiveFabric ConstructsLayer 3 Virtual Network A Closer LookLayer 3 Virtual Networks maintain a separate Routing Table for each instance.Provides macro-segmentation(Routing Table Separation)Control Plane Node uses Instance ID to maintain separate VRF topologies Fabric Nodes add a VNID to the Fabric e

54、ncapsulationEndpoint ID prefixes(Host Pools)are routed and advertised within a Virtual NetworkUses standard vrf definition configuration,along with RD&RT for remote advertisement on the Border NodeLayer 3Virtual NetworkCAMPUSCAMPUSLayer 3Virtual NetworkIOTIOTLayer 3Virtual NetworkGUESTGUESTFor YourR

55、eferenceBRKENS-281151 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric ConstructsSecurity Group Tags(SGTs)A Closer LookSecurity Group Tag is a policy object to group users,devices,and endpointsProvides micro-segmentation(Segmentation within a Virtual Network)Nodes us

56、e Security Groups to ID and assign a unique Security Group Tag(SGT)to EndpointsNodes add an SGT to the Fabric encapsulationSGTs are used to manage address-independent Group-Based PoliciesEdge Nodes use SGT to enforce local Scalable Group ACLs(SGACLs)Layer 3Virtual NetworkCAMPUSCAMPUSLayer 3Virtual N

57、etworkIOTIOTLayer 3Virtual NetworkGUESTGUESTSGT17SGT3SGT23SGT8SGT12SGT25SGT4SGT11SGT19For YourReferenceBRKENS-281152 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric ConstructsHost Pools A Closer LookHost Pools provide basic IP functions necessary for attached Endpoi

58、ntsEdge Nodes use a Switch Virtual Interface(SVI),with IP Address/Mask,etc.per Host PoolFabric uses Dynamic EID mapping to advertise each Host Pool(per Instance ID)Fabric Dynamic EID allows Host-specific(/32,/128 or MAC)advertisement and mobility Host Pools can be assigned Dynamically(via Host Authe

59、ntication)and/or Statically(per port)Layer 3Virtual NetworkCAMPUSCAMPUSLayer 3Virtual NetworkIOTIOTLayer 3Virtual NetworkGUESTGUESTPool.18Pool.13Pool.24Pool.15Pool.11pool.22Pool.14Pool.12Pool.26For YourReferenceBRKENS-281153 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive

60、Fabric ConstructsAnycast Gateway A Closer LookAnycast Gateway provides a Layer 3 Default Gateway for IP capable endpoints.Similar principle and behavior to HSRP/VRRP with a shared“Virtual”IP and MAC address.The same Switch Virtual Interface(SVI)is present on EVERY Edge Node and uses the the SAME IP

61、and MAC address.Control-Plane with Fabric Dynamic-EID mapping maintains the Host-to-Edge-Node relationship.When a Host moves from Edge Node 1 to Edge Node 2,it does not need to change its Default Gateway.GWGWGWFor YourReferenceBRKENS-281154 2023 Cisco and/or its affiliates.All rights reserved.Cisco

62、Public#CiscoLive55IP NetworkEdge Node 1Edge Node 2EncapsulationDecapsulationVXLANVN IDSGT IDVXLANVN IDSGT IDPropagationPropagationCarry VN and Group context across the networkEnforcementEnforcementGroup Based Policies ACLs,Firewall RulesClassificationClassificationStatic or Dynamic VN and SGT assign

63、mentsFor YourReferencePropagation using VXLANVN and SGT in VXLAN-GPO EncapsulationBRKENS-281155 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive56BRKENS-2811Inline MethodsETHERNETIPSECSwitchesRoutersEthernet Inline Tagging:Ethernet Inline Tagging:(EtherType:0 x8909)16-Bit

64、SGT encapsulated within Cisco Meta Data(CMD)payload.IPSec/L3 Crypto:IPSec/L3 Crypto:Cisco Meta Data(CMD)uses protocol 99,and is inserted to the beginning of the ESP/AH payload.VXLAN:VXLAN:SGT(16 bit)inserted into Segment ID of VXLAN HeaderSGT Exchange Protocol(SXP)RoutersFirewall(SXP Aggregation)Spe

65、akerListenerSwitchesSwitches5 510.0.1.26 610.4.9.5IP-to-SGT binding exchange over 64999/TCPCisco ISE can be a SXP speaker/Listener6 610.4.9.55 510.0.1.2Propagation MethodsFor YourReferenceBRKENS-281156Policy Enforcement on Firewall 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci

66、scoLiveBorder Deployment OptionsShared Services(DHCP,AAA,etc.)with BorderISISBGPAF IPv4MP-BGPG0/0/0T5/8G0/0/3T5/1T1/0/1T5/1T5/2AF VRF AAF VRF BVRF BSVI BVRF ASVI ASVI ASVI BG0/0/0.AG0/0/0.BPeerDevice Border NodeEdge NodeControl PlaneCisco SD-Access Border connecting External Domain with existing Glo

67、bal Routing Table should use a Peer Device with MP-BGP&VRF import/export.ip vrf USERSrd 1:4099route-target export 1:4099route-target import 1:4099route-target import 1:4097!ip vrf DEFAULT_VNrd 1:4098route-target export 1:4098route-target import 1:4098route-target import 1:4097ip vrf GLOBALrd 1:4097r

68、oute-target export 1:4097route-target import 1:4097route-target export 1:4099route-target export 1:4098External DomainGRT/VRFRoute Leaking ExampleBRKENS-281158 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBorder Deployment Options(Peer Device Firewall)Shared Services(DH

69、CP,AAA,etc.)with BorderISISBGPAF IPv4MP-BGPG0/0/0T5/8G0/0/3T5/1T1/0/1T5/1T5/2AF VRF AAF VRF BVRF BSVI BVRF ASVI ASVI ASVI BG0/0/0.AG0/0/0.BPeerDevice Border NodeEdge NodeControl PlaneCisco SD-Access Border connecting External Domain with existing Global Routing Table could use a“Peer Device Firewall

70、”with multiple Zones/Sub-InterfacesExternal DomainGRT/VRFint gi0/0/0.Avlan 101nameif Asecurity-level 100!int gi0/0/0.Bvlan 102nameif Bsecurity-level 100!int gi0/0/0nameif insidesecurity-level 100BRKENS-281159 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSpannedEther-Cha

71、nelFirewall ClusterVSS/SWV/vPCFor More Information:Cisco Secure Firewall and SDA Integration Deep Dive Cisco Secure Firewall and SDA Integration Deep Dive-BRKSECBRKSEC-28452845Firewall HA PairFirewall ClusterFirewall HA PairFor YourReferenceBorder Deployment Options(Peer Device Firewall)Sample Scena

72、riosBRKENS-281160 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSmall BranchSmall BranchMigration Site 3HeadquartersMigration Site 2SD-Access Network(Migration Site 1)Data CenterISECisco DNACenter DHCP,DNS,AD(Services)Migration Site 4Seamless InternetFabric UnderlayCriti

73、cal ServicesFirewallWANWANConvention CenterBRKENS-281161 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessEnforcement on FirewallNetwork access for vendors at Convention CenterFirewallBRKENS-281162 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

74、blic#CiscoLiveBGP/VRF-LITEFirewall SD-Access Network(Headquarters)Data CenterISECisco DNACenter DHCP,DNS,AD(Services)Recommended for designs requiring Stateful Inspection and Inter-VN policy Ideal for designs requiring audits adding logging capabilities.802.1QCONTROL PLANEDATA PLANELISPVXLAN HeaderV

75、NID(24 bits)SGT(16 bits)BRKENS-281163 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSGT In-line TaggingFirewall SD-Access Network(Headquarters)BRKENS-281164802.1QCONTROL PLANEDATA PLANELISPVXLAN HeaderVNID(24 bits)SGT(16 bits)SGTSource SGTSGTSource SGT 2023 Cisco and/or

76、its affiliates.All rights reserved.Cisco Public#CiscoLiveSGT In-line TaggingFirewall Group TagsSXP/pxGridISEFirewall gets Group Based Tags from ISESD-Access Network(Headquarters)802.1QCONTROL PLANEDATA PLANELISPVXLAN HeaderVNID(24 bits)SGT(16 bits)BRKENS-281165 2023 Cisco and/or its affiliates.All r

77、ights reserved.Cisco Public#CiscoLiveSGT In-line TaggingFirewall Group TagsSXP/pxGridISERouters DNACSD-Access Network(Headquarters)BRKENS-281166802.1QCONTROL PLANEDATA PLANELISPVXLAN HeaderVNID(24 bits)SGT(16 bits)SGTDestination SGT 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C

78、iscoLiveCisco SD-AccessPeer device may learn mappings from ISE via pxGrid(NGFW for e.g.)and SXP if the peer device is Router/Switch/ASA.If Destination Mappings Known by Peer device,then Enforce.Inter VN policy enforcement can be done on a Peer device such as a router/switch or a firewall like ASA/FT

79、DSGT In-line tagging needs to enable on physical trunk on switches and sub-interfaces on Routers/FirewallsPolicy Enforcement on FirewallPolicy Enforcement on FirewallFor YourReferenceBRKENS-281167 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSGT In-line TaggingFirewall

80、Group TagsSXP/pxGridISEDNACDevelopment Server DC NetworkSGTDGTContractContractorDevelopment ServerDenyDeveloperDevelopment ServerPermitEmployeeDevelopment ServerAllow WebSD-Access Network(Headquarters)Routers BRKENS-281168802.1QCONTROL PLANEDATA PLANELISPVXLAN HeaderVNID(24 bits)SGT(16 bits)SGTDevel

81、opment ServerSGTContractorSGTContractorPolicy Enforcement on Firewall Demo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric Site Fabric Site 172.16.8.61Employees SGTProduction_ServersProduction_Servers192.168.254.33 192.168.254.33 DC NetworkDC NetworkFirepowerFirepow

82、erSGT InSGT In-line Taggingline TaggingVN Campus VN Campus C9K1C9K1FMCFMC70Policy Enforcement on Firewall DemoBRKENS-2811 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFW SGT Propagation Use-CasesKey Take AwayInline TaggingInline TaggingControl Plane PropagationControl P

83、lane PropagationControl Plane Propagation&Inline Control Plane Propagation&Inline Tagging Tagging-RecommendedRecommended Scalable Inter-VN policies with source SGT criteria only Appropriate for firewall as a Cisco SD-Access peer device If enforcing using Source SGTs,Ethernet Inline tagging can be im

84、plemented as it offers better scalability.Flexible Attribute-Based Inter-VN policy Source and Destination SGT can be propagated via Control Plane propagation using pxGrid or SXP.If enforcing using destination SGT,Control plane propagation methods such as pxGrid and SXP can be used.Memory limits on t

85、he enforcement device needs to be considered A combination of both is scalableapproach where user sends source SGTs via Inline and Destination SGT via pxGrid.Minimal utilization of Firewall memory.BRKENS-281171 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIf SXP is your

86、 only choice?-SXPv5VN1VN2VN3IP:SGT Mappings sent via SXPv4Latest SXP version before 17.9.1 is SXPv4(not VRF aware)SXP Version 1Initial SXP version supporting IPv4 binding propagation.SXP Version 2Includes support for IPv6 binding propagation and version negotiation.SXP Version 3Adds support for Subn

87、et-SGT binding propagation.If speaking to a lower version,then the subnet will be expanded to individual IP-SGT entries.SXP Version 4Loop detection and prevention,capability exchange and built-in keep-alive mechanism.SXPv5 Not specific to SD-Access but used as an example:Cisco SD-Access Fabric SiteB

88、RKENS-281172 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSXPv5Example:To SD-Access BorderSXPv5SpeakerBuildingMgmt VRFBuildingSecurity VRFIOT VRF1.1.1.6SXPv5ListenerBuildingMgmt VRFBuildingSecurity VRFCisco SD-Access Fabric Site10.1.1.1:SGT10 20.1.1.1:SGT20 IOS-XE 17.9.

89、130.1.1.1:SGT30 Cat9k-reflectorGroup-Based Policy SXPv5 Guidects sxp export-list SXPv5-export-VRFs-to-Bordervrf BuildingMgmtvrf BuildingSecurity!cts sxp export-import-group speaker SXPv5-speaker-grp-to-Borderexport-list SXPv5-export-VRFs-to-Borderpeer 1.1.1.3cts sxp import-list SXPv5-import-from-Ref

90、lectorvrf!cts sxp export-import-group listener SXPv5-import-grp-from-Reflectorimport-list SXPv5-import-from-Reflectorpeer 1.1.1.6BRKENS-2811731.1.1.3VLAN-Based L2VNIConvention Center Use case 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSmall BranchSmall BranchMigration

91、 Site 3Migration Site 2SD-Access Network(Migration Site 1)SD-Access Network(Headquarters)Data CenterISECisco DNACenter DHCP,DNS,AD(Services)Migration Site 4Seamless InternetFabric UnderlayCritical ServicesFirewallWANWANConvention CenterBRKENS-281175 2023 Cisco and/or its affiliates.All rights reserv

92、ed.Cisco Public#CiscoLiveBRKENS-281176 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration Site 3BRKENS-281177 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrunkTrunkBakery-Floor 1 Bakery-Floor 2SVI 100SVI 200SVI 300Migration Site 3BRKEN

93、S-281178 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSVI 100SVI 200SVI 300L2VNTrunkTrunkSD-Access Network(Migration Site 3)Cisco SD-AccessVLAN-BASED L2VNI After MigrationBakery-Floor 1 Bakery-Floor 2BRKENS-281179 2023 Cisco and/or its affiliates.All rights reserved.Cis

94、co Public#CiscoLiveTrunkSVI 100SVI 200SVI 300Firewall SD-Access Network(Migration Site 3)Cisco SD-AccessVLAN-BASED L2VNIBRKENS-281180 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrunkSVI 100SVI 200SVI 300Firewall SD-Access Network(Migration Site 3)Cisco SD-AccessVLAN-B

95、ASED L2VNIBRKENS-281181Convention Centers,Airport,Retail,Shopping MallBMS,OT,IoTTypical Use Cases 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessVLAN-BASED L2VNI Traditionally endpoints send non-local traffic(traffic destined for a remote subnet)to a Distri

96、buted Anycast Gateway which is present on all Edge Nodes for a given fabric site.The Edge Node is then responsible for forwarding traffic to the appropriate routed destination after performing a destination lookup via LISP.VLAN-based L2VNI service enables Cisco SD-Access to provide pure Layer 2 conn

97、ectivity between endpoints with no Anycast Gateway present in the fabric site.OverviewOverviewDetailsDetailsSupported from Cisco DNA Center 2.3.3.x.Fabric Wireless is supported from Cisco DNA Center 2.3.5.xA firewall as a default gateway can be used for East-West traffic security compliance.L2 flood

98、ing will automatically be enabled for any VLAN-based L2VNI.L2 flooding in overlay requires ASM(Any-source multicast)in underlay.If VLAN-Based L2VNI requires connectivity to endpoints external to fabric,then use Layer 2 Border handoff automation or use an Edge Node“Trunk”port.For YourReferenceBRKENS-

99、281182 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessVLAN-BASED L2VNIL2VNI utilizes the same resources as the IP Pool.The total count of IP Pools and L2VNI VLANs must not exceed the numbers specified in the DNA Center Data Sheet.SGT assignment and policy a

100、re applicable within a VLAN-Based L2VNI.If L2 VN is necessary only in specific sections of the network,it is advisable to place the L2 VN within a Fabric Zone.This helps reduce the number of fabric Edges participating in flooding.DetailsDetailsFor YourReferenceBRKENS-281183For more details:Cisco DNA

101、 Center Data SheetVLAN-BASED L2VNI Demo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive9200-PAT-L2VNIBakery-Floor-2192.168.0.2L2VNIL2VNI 8194VLAN 200210.130.130.49000c.296f.e7e5SVI 20023560CX-E60-L2VNIBakery-Floor-110.130.130.10f87a.41f7.52c285VLAN-BASED L2VNI DemoBRKENS-

102、2811 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVLAN-BASED L2VNI AutomationFor YourReferenceBRKENS-281186 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVLAN-BASED L2VNI AutomationFor YourReferenceBRKENS-281187 2023 Cisco and/or its affilia

103、tes.All rights reserved.Cisco Public#CiscoLiveSmall BranchSmall BranchMigration Site 2SD-Access Network(Migration Site 1)SD-Access Network(Headquarters)Data CenterISECisco DNACenter DHCP,DNS,AD(Services)SD-Access Network(Migration Site 3)Migration Site 4Seamless InternetSeamless InternetFabric Under

104、layCritical ServicesFirewallWANWANConvention CenterBRKENS-281188 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProgress ChartBRKENS-281189Simplified Critical Services accessSD-Access Extranet 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePeer

105、 Network ConfigurationLayer 3 Handoff to External IP Domain INFRA_VNINFRA_VNVN_CAMPUSVN_CAMPUSVN_IOTVN_IOTVN_GUESTVN_GUESTSharedShared-ServicesServicesPeer DevicePeer DeviceBorderBorderINFRA_VNINFRA_VNVN_CAMPUSVN_CAMPUSVN_IOTVN_IOTVN_GUESTVN_GUESTPeer DevicePeer DeviceBorderBorderPeer Device 1Peer D

106、evice 1Peer Device 2Peer Device 2BorderBorder-1 1BorderBorder-2 2 eBGP neighborsfor each VN between Peer and Border node Configure VRF Interfaces for each VN matching Border configuration Route-leak shared-services subnets to each VN Route-leak VN subnets into Global iBGP neighbors for each VN betwe

107、en Border nodesINFRA_VNINFRA_VNVN_GUESTVN_GUESTVN_CAMPUSVN_CAMPUSVN_IOTVN_IOTBorderBorderPeer DevicePeer DeviceNot required at Fabric Site LISP Pub-Sub deployments.Extend eBGP Route LeakiBGPFor YourReferenceBRKENS-281191 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisc

108、o SD-AccessSimplified Critical Services such as Shared Services and Internet with minimum configurationCritical ServicesCritical ServicesBRKENS-281192 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessEndpoints in an SD-Access Fabric Site are in an overlay Vir

109、tual Network(VRF Routing Table)Endpoints need access to Internet and critical Shared Services such as DHCP,DNS,and AD.Shared Services are located outside the Fabric Site,usually in a Data Center.Shared Services are generally in the GRT although may be in a dedicated Shared Services VRF.VRF route lea

110、king is needed to leak Fabric Virtual Networks to the Shared Services routing table.This configuration is done manually outside of the Fabric(think“fusion router”).Current Network ChallengesCurrent Network ChallengesBRKENS-281193 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc

111、oLiveCisco SD-Access ExtranetLISP Extranet provides flexible,and scalable method for providing access to Shared Services and access to the Internet to endpoints inside the Fabric.This simplifies SD-Access Fabric deployments by providing a policy-based method of VRF leaking.LISP Extranet helps avoidi

112、ng route-leaking outside Fabric Site by addressing the leaking natively in LISP.Solution IntroductionSolution IntroductionBRKENS-281194 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access ExtranetVN EmployeesVN ContractorsVN IOTShared ServicesSubscribersProvide

113、rsDHCPDNSADSD-Access Extranet PolicyBRKENS-281195 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access ExtranetProvider Virtual NetworkProvider Virtual NetworkContains a shared services resources such as DHCP,DNS,or even Internet.Subscriber Virtual Network Subsc

114、riber Virtual Network Contain endpoints,hosts,and users that need to access shared services resources.Fabric Layer 3 Virtual Network Extranet PolicyExtranet PolicyDescribes the relationship between a Provider Virtual Network and one or more Subscriber Virtual Networks.Definition of TermsDefinition o

115、f TermsFor YourReferenceBRKENS-281196 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVN”Employee”VN”Employee”VN“Contractor”VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)Contractor VN handoffEmployees VN handoffPeer DeviceLISP Extranet Policies resi

116、de LISP Extranet Policies reside on Control Plane/Transit on Control Plane/Transit Control Plane NodesControl Plane NodesSubscriber VN Subscriber VN”Employee”Employee”Subscriber VN Subscriber VN“Contractor”“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco

117、SD-Access ExtranetSDSD-Access NetworkAccess Network(Migration Site 2)(Migration Site 2)SDSD-Access NetworkAccess Network(Migration Site 2)(Migration Site 2)BRKENS-281197 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access ExtranetExtranet policy is orchestrated

118、 and maintained via Cisco DNA Center.Supported from Cisco IOS_XE 17.9 and Cisco DNA Center 2.3.4.xExtranet Policy can be associated to one or more Fabric Sites connected via IP transit/SD-Access transit.With Extranet,user only need to perform layer 3 handoff for Provider VNs from Border nodes.Allows

119、 communication from the Subscriber Virtual Networks to the Provider Virtual Network.Allows communication from the Provider Virtual Network to the Subscriber Virtual Networks.Contains a single Provider Virtual NetworkContains one or more Subscriber Virtual NetworksDenies Subscriber to Subscriber comm

120、unicationExtranet Policy DetailsExtranet Policy DetailsExtranet PolicyExtranet PolicyProvider VNProvider VNSubscriber VNSubscriber VNProvider VNNOYESSubscriber VNYESNOSD-Access Extranet policy:BRKENS-281198 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Ex

121、tranetExtranet policies are supported with Lisp Pub/Sub fabric only A Provider Virtual Network in one Policy cannot be a Subscriber Virtual Network in another Policy.A Subscriber Virtual Network in one Policy cannot be a Provider Virtual network in another Policy.Provider VN can be a dedicated VN or

122、 INFRA_VN(INFRA_VN cannot be a subscriber VN).A Virtual Network can be a Provider in only one Policy.Virtual Networks can be a Subscriber in one or more Policies.Provider to Provider communication is not supported.Subscriber to Subscriber communication is not supported.Extranet is not meant to leak

123、Fabric VRF to Fabric VRF.If two devices inside the Fabric need to communicate with one another,put them in the same Virtual Network.Multicast leveraging Extranet functionality is not supported(If Multicast traffic stays within a VN,then it is supported.E.g.,RP,Source,Receiver within a VN)Considerati

124、onsFor YourReferenceBRKENS-281199Cisco SD-Access ExtranetPacket Flows 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DNACisco DNACenter Center

125、 11All virtual networks(VNs)within the fabric require connectivity to shared services,which are connected to the fabric border through a Provider VRF called Shared Services.These routes are imported into the Provider VRF Shared Services in LISP.SD-Access Extranet Shared ServicesSD-Access Network(Mig

126、ration Site 2)BRKENS-2811101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DNACisco DNACenter Center 22 Admin creates SD-Access Extranet poli

127、cy via Cisco DNA Center workflow which is configured in Control Plane node.Extranet Policy:Extranet Policy:Provider VN is“Shared Services”Subscriber VN is“Employee”Subscriber VN is“ContractorContractor”*Only 1 Provider VRF is allowed per extranet policy instance.Multiple subscribers are allowed.At t

128、his stage,CP knows about users(host entries)in respective virtual networks and their location(Edge node).CP also knows about shared service prefixes via Border(Border is either Internal or Anywhere)SD-Access Network(Migration Site 2)SD-Access Extranet Shared ServicesBRKENS-2811102 2023 Cisco and/or

129、its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DNACisco DNACenter Center 3 Host in Virtual Network Subscriber VN Employee on Edge node wants to communicate with

130、 server in Shared Services(Shared Services VN)3SD-Access Network(Migration Site 2)SD-Access Extranet Shared ServicesBRKENS-2811103 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared

131、 Services)PVN VRF-lite handoffCisco DNACisco DNACenter Center 44 Edge node with Virtual Network Employees sends a map-request to the control plane node requesting to reach Server in Shared ServicesSD-Access Network(Migration Site 2)SD-Access Extranet Shared ServicesBRKENS-2811104 2023 Cisco and/or i

132、ts affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DNACisco DNACenter Center 55 Control Plane node is going to first look at the source VN which is Subscriber VN Emp

133、loyee for shared service subnet which will be absent.Second lookup would be in Provider VN Shared Services as Employee is part of an extranet policy where the prefix will be present.SD-Access Network(Migration Site 2)SD-Access Extranet Shared ServicesBRKENS-2811105 2023 Cisco and/or its affiliates.A

134、ll rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DNACisco DNACenter Center 66 Control Plane node will respond with map-reply with Provider VN Shared Services information to the E

135、dge node SD-Access Network(Migration Site 2)SD-Access Extranet Shared ServicesBRKENS-2811106 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DN

136、ACisco DNACenter Center 7 Edge node will send the data plane traffic(VXLAN encapsulated)to the Border node in Provider VN Shared Services.7SD-Access Network(Migration Site 2)SD-Access Extranet Shared ServicesBRKENS-2811107 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSu

137、bscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DNACisco DNACenter Center 8 Border node will de encapsulate the VXLAN traffic and send the IP traffic to external world(Shared Services)8SD-Access Network(Migration Site 2)

138、SD-Access Extranet Shared ServicesBRKENS-2811108 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DNACisco DNACenter Center 9 Return traffic fro

139、m shared services is going to ingress at the Border node in Provider VN Shared Services.9SD-Access Network(Migration Site 2)SD-Access Extranet Shared ServicesBRKENS-2811109 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP

140、,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DNACisco DNACenter Center Border node will not have destination host information in the Provider VN Shared Services.A policy is defined on the border where the ingress packet is always looked up in the respective subscribe

141、r VN.1010SD-Access Network(Migration Site 2)SD-Access Extranet Shared ServicesBRKENS-2811110 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”DHCP,DNS,ADDHCP,DNS,AD(Shared Services)(Shared Services)PVN VRF-lite handoffCisco DN

142、ACisco DNACenter Center Border node will send the data plane traffic(VXLAN encapsulated)to the Edge node in Subscriber VN Employee.1111SD-Access Network(Migration Site 2)SD-Access Extranet Shared ServicesBRKENS-2811111 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscr

143、iber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite handoff11Border connects to Internet.All user VNs in fabric needs connectivity to Internet.Internet will connect to a Provider VRF named as“Internet”that is only present on the fabric border.Internet prefixes are not known to the Border nodes.SD

144、-Access Extranet InternetInternetInternetSD-Access Network(Migration Site 2)BRKENS-2811112 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite handoff22 Admin creates SD-Access Extranet policy via Cisco DNA Center wo

145、rkflow which is configured in Control Plane node.Extranet Policy:Extranet Policy:Provider VN is“Internet”Subscriber VN is“Employee”Subscriber VN is“ContractorContractor”*Only 1 Provider VRF is allowed per extranet policy instance.Multiple subscribers are allowed.At this stage,CP knows about users(ho

146、st entries)in respective virtual networks and their location(Edge node).InternetInternetSD-Access Network(Migration Site 2)SD-Access Extranet InternetBRKENS-2811113 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite

147、 handoff33 Host in Virtual Network Subscriber VN Contractor on Edge node wants to reach a prefix on the Internet which is reachable via default route in Provider VN InternetInternetInternetSD-Access Network(Migration Site 2)SD-Access Extranet InternetBRKENS-2811114 2023 Cisco and/or its affiliates.A

148、ll rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite handoff44 Edge node with Virtual Network Subscriber VN Contractor sends a map-request to the control plane node requesting to reach prefix in Internet.InternetInternetSD-Access Network(Migration Sit

149、e 2)SD-Access Extranet InternetBRKENS-2811115 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite handoff55 Control Plane node is going to first look at the source VN which is Subscriber VN Contractor for internet pr

150、efix which will be absent.Second lookup would be in Provider VN Internet as Contractor is part of an extranet policy where the prefix will be absent.InternetInternetSD-Access Network(Migration Site 2)SD-Access Extranet InternetBRKENS-2811116 2023 Cisco and/or its affiliates.All rights reserved.Cisco

151、 Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite handoff6 If no registration is found for the prefix in both source VN Subscriber VN Contractor and Provider VN Provider VN Internet then,Control Plane node will respond to Edge node with a map-reply informing edge node to

152、send the traffic to Border using Provider VN Internet which has default route present6InternetInternetSD-Access Network(Migration Site 2)SD-Access Extranet InternetBRKENS-2811117 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contracto

153、r”PVN VRF-lite handoff77 Edge node will send the data plane traffic(VXLAN encapsulated)to the Border node in Provider VN Internet.InternetInternetSD-Access Network(Migration Site 2)SD-Access Extranet InternetBRKENS-2811118 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSu

154、bscriber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite handoff88 Border node will de encapsulate the VXLAN traffic and send the IP traffic to external world(Internet)InternetInternetSD-Access Network(Migration Site 2)SD-Access Extranet InternetBRKENS-2811119 2023 Cisco and/or its affiliates.All

155、rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite handoff9 Internet traffic is going to ingress at the Border node in Provider VN Internet9InternetInternetSD-Access Network(Migration Site 2)SD-Access Extranet InternetBRKENS-2811120 2023 Cisco and/or i

156、ts affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite handoff Border node will not have destination host information in the Provider VN Internet.A policy is defined on the border where the ingress packet is always looked up in the respec

157、tive subscriber VN.1010InternetInternetSD-Access Network(Migration Site 2)SD-Access Extranet InternetBRKENS-2811121 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubscriber VN”Employee”Subscriber VN“Contractor”PVN VRF-lite handoff Border node will send the data plane tra

158、ffic(VXLAN encapsulated)to the Edge node in Subscriber VN Contractor.1111InternetInternetSD-Access Network(Migration Site 2)SD-Access Extranet InternetBRKENS-2811122 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFlowFlowEventEvent1Admin creates SD-Access Extranet policy

159、via Cisco DNA Center workflow which is configured in Control Plane node.Extranet Policy:Extranet Policy:Provider VN is“Shared Services”Subscriber VN is“Employee”Subscriber VN is“ContractorContractor”2Host on a subscriber VN(Employee)tries to initiate a communication to another host in the subscriber

160、 VN(ContractorContractor)3The respective edge node generates a map request to the control plane.4Map server responds back with a map-reply with the action set to drop the frame5Edge node installs the entry in map-cache and CEF to drop the frame,thus blocking subscriber to subscriber communicationSD-

161、Access Extranet Subscriber to Subscriber policy24315Fabric_edge#show ip lisp instance-id 4105 map-cache 9.10.61.0LISP IPv4 Mapping Cache for LISP 0 EID-table vrf corp(IID 4105),7 entries9.10.61.0/24,uptime:00:00:04,expires:00:14:55,via map-reply,dropSources:map-replyState:drop,last modified:00:00:04

162、,map-source:9.254.254.66Active,Packets out:0(0 bytes),counters are not accurateFabric edge installs entry in map-cache and CEF to drop traffic between SubscribersHow Subscriber to Subscriber policy is denied?BRKENS-2811123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD

163、-Access Extranet Automation WorkflowFor YourReferenceBRKENS-2811124 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFor YourReferenceSD-Access Extranet Automation WorkflowBRKENS-2811125 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access Ex

164、tranet Automation WorkflowFor YourReferenceBRKENS-2811126 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access Extranet Automation WorkflowFor YourReferenceBRKENS-2811127 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Networ

165、kLISP Extranet Policies reside on Control Plane/Transit Control Plane NodesSubscriber VN”Corp”-9.10.60.0/249.10.61.0/24DHCP,DNS,AD(Shared Services)Shared Services VRF-lite handoffVN Policy NameVN Policy NameProvider VNProvider VNSubscriber VNSubscriber VNP1Shared ServicesCorpExtranet Policy created

166、on Cisco DNA Center:extranet p1eid-record-provider instance-id 4104ip-anyexit-eid-record-provider!eid-record-subscriber instance-id 41059.10.60.0/249.10.61.0/24ip-anyexit-eid-record-subscriber!exit-extranetConfigurationExtranet Policy show lisp extranet p1 instance-id 4104LISP Extranet policy tableH

167、ome Instance ID:4104Prov/Sub Source InstID EID prefixProvider Default ETR Reg V4 4104Subscriber Config 4105 9.10.60.0/24Subscriber Config 4105 9.10.61.0/24Total entries:3Cisco SD-Access ExtranetSingle Site ExampleFor YourReferenceBRKENS-2811128 2023 Cisco and/or its affiliates.All rights reserved.Ci

168、sco Public#CiscoLiveSDSD-Access TransitAccess TransitFabric Site 1Fabric Site 1InternetFabric Site 2Fabric Site 2Subscriber VN“Campus”VN Policy NameVN Policy NameProvider VNProvider VNSubscriber VNSubscriber VNExtranet_Policy_1_ServicesServicesCampusExtranet Policy created on Cisco DNA Center:Extran

169、et policy configuration on Control Plane Node:extranet Extranet_Policy_1_Servicesextranet-config-from-transiteid-record-provider instance-id 4101exit-eid-record-provider!exit-extranetextranet Extranet_Policy_1_Servicesextranet-config-from-transiteid-record-provider instance-id 4101exit-eid-record-pr

170、ovider!exit-extranetExtranet policy configuration on Control Plane Node:Extranet policy configuration on Transit Control Plane Node:extranet Extranet_Policy_1_Serviceseid-record-provider instance-id 4101ip-anyexit-eid-record-provider!eid-record-subscriber instance-id 4099ip-anyexit-eid-record-subscr

171、iber!exit-extranetExtranet Policy on Local CP:show lisp extranet Extranet_Policy_1_Services instance-id 4101LISP Extranet policy tableHome Instance ID:4101Prov/Sub Source InstID EID prefixProvider Default ETR Reg V4 4101Subscriber Config-Propagation 4099 172.16.8.0/24Subscriber Config-Propagation 40

172、99 172.16.42.0/24Total entries:3ServicesServicesVRF-litehandoffExtranet Policy on TCP nodes:show lisp extranet Extranet_Policy_1_Services instance-id 4101LISP Extranet policy tableHome Instance ID:4101Prov/Sub Source InstID EID prefixProvider Default ETR Reg V4 4101Subscriber Dynamic 4099 172.16.8.0

173、/24Subscriber Dynamic 4099 172.16.42.0/24Total entries:3For YourReferenceCisco SD-Access ExtranetMulti-site Site ExampleBRKENS-2811129Cisco SD-Access Extranet Demo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive131Cisco SD-Access Extranet DemoBRKENS-2811Cisco SD-Access Ne

174、tworkSubscriber VN”Campus”-172.16.8.0/24DHCP,DNS,AD(Shared Services)Provider VN Services VRF-lite handoffVN Policy NameVN Policy NameProvider VNProvider VNSubscriber VNSubscriber VNFirst_PolicyServicesCampusExtranet Policy created on Cisco DNA Center:2023 Cisco and/or its affiliates.All rights reser

175、ved.Cisco Public#CiscoLiveCisco SD-Access ExtranetKey Take AwayAutomated Route Leaking Configuration via Cisco DNA Center.Subscriber to Subscriber communication is not supported.Extranet is not meant to leak Fabric VRF to Fabric VRF.If two devices inside the Fabric need to communicate with one anoth

176、er,put them in the same Virtual Network.If Inter-VN policy enforcement is desired on devices such as firewalls,then use traditional route leaking.OverviewOverviewBRKENS-2811132 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSmall BranchSmall BranchSD-Access Network(Migrat

177、ion Site 1)SD-Access Network(Headquarters)SD-Access Network(Migration Site 2)Data CenterISECisco DNACenter DHCP,DNS,AD(Services)SD-Access Network(Migration Site 3)Migration Site 4Seamless InternetSeamless InternetFabric UnderlayCritical ServicesFirewallWANWANConvention CenterBRKENS-2811133 2023 Cisc

178、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProgress ChartBRKENS-2811134Seamless Internet ConnectivityLISP Pub/Sub 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessConsistent Policy across Cisco SD-Access sites.No loss in Internet Connec

179、tivity(Active/Backup Internet).Seamless Internet ConnectivitySeamless Internet ConnectivityBRKENS-2811136 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessCisco SD-Access TransitLISP Publisher/Subscriber Seamless Internet ConnectivitySeamless Internet Connect

180、ivityBRKENS-2811137SD-Access Transits 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric ConstructsTransits A Closer LookTransitsconnect a Fabric Site to another network or another Fabric Site.Connect a Fabric Site to the external world and the Data Center.Connects Fab

181、ric Site to other Fabric Sites.TransitTransitData CenterData CenterShared Shared ServicesServicesInternetInternetBRKENS-2811139 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFabric ConstructsSDSD-Access TransitAccess TransitMaintains Cisco SD-Access constructs(LISP,VXLAN

182、,CTS)natively between sites.End-to-end policy maintained using Fabric encapsulation End-to-end automated by Cisco DNA CenterUses domain-wide Control Plane Nodes for inter-site control plane communicationRequires WAN/MAN to support a large enough MTU for 50-byte VXLAN header IPIP-Based TransitBased T

183、ransitBorders hand off traffic direct to external domain with VRF-lite and BGPEnd-to-end policy maintained using manual configurationRequires remapping of VRFs and SGTs to maintain policy and segmentation between SitesTraffic between sites use external networks control plane and data plane protocols

184、For More Information:Cisco SDCisco SD-Access Access Connecting Multiple Sites in a Single Fabric Domain Connecting Multiple Sites in a Single Fabric Domain-BRKENSBRKENS-28152815For YourReferenceTransits A Closer LookBRKENS-2811140 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis

185、coLiveGeneric IP-Based WAN Transit Between Fabric SitesSD-Access Fabric SiteSD-Access Fabric SiteCisco DNA CenterMANAGEMENT LISPVXLAN HeaderVNID(24 bits)SGT(16 bits)MP-BGP/OtherMPLS LabelsVPN (20 bits)CONTROL PLANEDATA PLANELISPVXLAN HeaderVNID(24 bits)SGT(16 bits)BGPVRF-lite802.1QVLAN ID(12 bits)BG

186、PVRF-lite802.1QVLAN ID(12 bits)SGTs in SXPSGTs in SXPISEBRKENS-2811141 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access TransitControl PlaneFabric Site 20Fabric Site 10LISPLISPLISPSD-Access TransitBRKENS-2811142 2023 Cisco and/or its affiliates.All rights re

187、served.Cisco Public#CiscoLiveCisco SD-Access TransitData PlaneFabric Site 20Fabric Site 10VXLANVXLANVXLANSD-Access TransitBRKENS-2811143 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access TransitPolicy PlaneFabric Site 20Fabric Site 10SGTs in VXLANSGTs in VXLA

188、NSGTs in VXLANSD-Access TransitBRKENS-2811144 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access TransitManagement PlaneFabric Site 20Fabric Site 10Cisco DNA CenterCisco DNA CenterCisco DNA CenterSD-Access TransitBRKENS-2811145 2023 Cisco and/or its affiliates

189、.All rights reserved.Cisco Public#CiscoLive Transit Control Plane nodes are dedicated devices dedicated devices with IP reachability to every fabric sites Border nodes Transit Control Plane nodes is not required to be in data not required to be in data forwarding pathforwarding path Transit Control

190、Plane nodes maintains aggregate prefixes of all Fabric sites Fabric site Border node should be either External or Anywhere border type to connect to SD-Access Transit.SD-Access Transit can be deployed with LISP-BGP or LISP LISP Pub/Sub Pub/Sub SDSD-Access Access Transit14For YourReferenceCisco SD-Ac

191、cess DeploymentMultisite Deployment with SD-Access TransitBRKENS-2811146SD-Access Transit is a native solution carrying VN and SGT between Fabric sites.Typical use cases:Typical use cases:oFully automated Site-to-Site connectivityoConsistent policy and end-to-end segmentation using VNs and SGTsoSite

192、s in same Metro area,CampusSD-Access Control Plane ProtocolsAn Introduction to LISP Pub/Sub 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access Control Plane ProtocolCisco DNA Center 2.2.3.xLISP/BGPLISP/BGPReleased circa 2017An instant classicReliable and StableBGP T

193、ransportLISP Pub/SubLISP Pub/SubReleased in 2021An instant masterpieceReliable and StableNative LISP Transport Highly ExtensibleBRKENS-2811148 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/SubExtensibilityExtensibilityLISP Pub/Sub builds a new framework for LISP

194、 infrastructure.LISP Pub/Sub architecture is a building block for other features and capabilities:Dynamic Default Border NodeLISP Backup InternetSD-Access ExtranetMulticast across SD-Access TransitWhat Challenges are We Solving?What Challenges are We Solving?BRKENS-2811149 2023 Cisco and/or its affi

195、liates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/SubLISP Pub/Sub is new control plane protocol for SD-Access.It is a signaling protocol to carry information such as as prefixes,mappings,and other data.LISP Pub/Sub provides the capability to selectively push information.Architecture Introduc

196、tionArchitecture IntroductionArchitecture Use CasesArchitecture Use CasesLISP Pub/Sub removes the dependency of BGP to propagate information within the Fabric Site.LISP Pub/Sub adds new features and capabilities because of the information it can carry.BRKENS-2811150 2023 Cisco and/or its affiliates.

197、All rights reserved.Cisco Public#CiscoLiveLISP/BGP Control PlaneReliance on BGPReliance on BGPTo push LISP Site-Registration table to another device,another protocol was needed.BGP was used as that transportThis created an underlying reliance on BGP.Before LISP Pub/SubBefore LISP Pub/SubEBGPIBGPRout

198、e-ReflectEBGPMap-RegistrationImport into map-cacheroute-import database bgpEBGPRoute-ReflectImport into map-cacheSite-1Site-1Site-1Site-2Map-RegistrationDCBRKENS-2811BRKENS-2811151 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP/BGP Control PlaneReliance on BGPWith BG

199、P,LISP only knows the prefixes,not full EID-to-RLOC mappings.BGP populates map-cache with an incomplete entryMap-cache is fully resolved through map-requestsThis mean additional control plane protocol messages.When BGP reconverges,map-cache needs to updated.This means further control plane messages

200、Before LISP Pub/SubBefore LISP Pub/SubFor YourReferenceBRKENS-2811152 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/Sub Control PlaneLISP Pub/Sub introduces the capability within the control plane signaling of LISP to selectively push information.The mapping sys

201、tem(Control Plane Node)notifies PITRs(Border Nodes)about mapping changes along with additional details associated with those mappings.LISP Pub/Sub uses native LISP,devoid of external protocol such as BGP,to propagate the prefixes and full mapping information.The Architecture EvolutionThe Architectur

202、e EvolutionEBGPLISP Pub/SubLISP Pub/SubLISP Pub/SubLISP Pub/SubLISP Pub/SubLISP Pub/SubLISP Pub/SubSite-1Site-1Site-1DCLISP Pub/SubSite-2BRKENS-2811153 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/Sub Control PlaneSubscriptionThe process LISP devices use to exp

203、ress interest for a certain portion of information within the mapping system.PublicationPublicationThe information that the mapping system sends to the Subscriber(the LISP device).Basic Definitions Basic Definitions Part 1Part 1For YourFor YourReferenceReferenceBRKENS-2811154 2023 Cisco and/or its a

204、ffiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/Sub Control PlaneSubscribersSubscribersBorder NodesPublishersPublishersControl Plane Nodes/Transit Control Plane NodesBasic Definitions Basic Definitions Part 2Part 2For YourReferenceBRKENS-2811155 2023 Cisco and/or its affiliates.All righ

205、ts reserved.Cisco Public#CiscoLivePublishersSubscribersPublisherSubscriberBRKENS-2811156 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/SubIn release 2.2.3.x,LISP Pub/Sub is supported only for newly created newly created fabric sites with devices running IOS XE s

206、oftware 17.6.x Migration from LISP/BGP to LISP Pub/Sub is not currently available.When we upgrade DNAC release to DNAC 2.2.3.x fabric sites created prior to this will continue to operate with LISP BGP based fabric.Transit Control Plane Nodes can support LISP/BGP fabric sites or LISP Pub/Sub-based fa

207、bric sites,not both simultaneously.DetailsDetailsFor YourReferenceBRKENS-2811157LISP Dynamic Default Border Node 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/Sub-Dynamic Default BorderNote:Convergence of the network after a Border Node reload is the responsibil

208、ity of the IGP in the underlay.Current Network ChallengesCurrent Network ChallengesLoss of Default Route Loss of Default Route If a Border Nodes losses the default route,it can take minutes for the network to converge(BGP).Note:This a common routing challenge that is not specific to SD-Access LISP F

209、abric.Potential Ways to Solve For Potential Ways to Solve For Loss of Default RouteLoss of Default RouteBidirectional Forwarding Detection(BFD)Per-VRF IBGP between redundant Border Nodes EEM scripts tracking state of EBGP PeersBRKENS-2811159Fabric Gateway of Last ResortLISP BGP 2023 Cisco and/or its

210、 affiliates.All rights reserved.Cisco Public#CiscoLiveLISP BGPConfigure an Edge Node to use one or Border Nodes as the Fabric Gateway of Last Resort.Configure an xTR to use one or more PeTRs as the gateway of last resort in the Fabric Site.Problem StatementFor YourReferenceBRKENS-2811161 2023 Cisco

211、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP BGPStatic use-petr configuration is used on all the xTRs to configure the proxy-ETR.When the xTR receives NMR from map server,xTRs forward traffic to this configured proxy-ETR.Configured proxy-ETRs cannot be changed dynamically if

212、external connectivity at the proxy-ETR changes.Static Solutionrouter lisp!Output omitted for brevity service ipv4itr map-resolver 192.168.10.1etr map-server 192.168.10.1 etruse-petr 192.168.30.7use-petr 192.168.30.8proxy-itr 192.168.30.5exit-service-ipv4Static use-petr configurationFor YourReference

213、BRKENS-2811162 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP BGP Forwarding LogicDestination IP=208.67.220.220(Internet Destination)Map-Request:208.67.220.220Negative Map-Reply(NMR)Destination IP=208.67.220.220(Subsequent Packets)HostSignal LISPConsult use-petr conf

214、iguration Encapsulate and send to PETREdge NodeControl Plane NodeBorder NodeBRKENS-2811163Fabric Gateway of Last ResortLISP Pub/Sub 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/Sub-Dynamic Default BorderConfigure an Edge Node to use one or Border Nodes as the F

215、abric Gateway of Last Resort.Configure an xTR to use one or more PeTRs as the gateway of last resort in the Fabric Site.Problem StatementProblem StatementFor YourReferenceBRKENS-2811165 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/Sub-Dynamic Default BorderImpl

216、ement LISP to monitor for the presence or absence of the default route Border Nodes.Do this on a per-VRF basis.Provide a method for the Border Nodes to registered the state of the default route to the Control Plane Nodes.Dynamically program this default route state information into map-cache on the

217、Edge Nodes.SolutionSolutionFor YourReferenceBRKENS-2811166 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnknown-EID Map-Reply(UMR)with list of Border NodesLISP Pub/Sub Solution Forwarding LogicDestination IP=208.67.220.220(Internet Destination)Map-Request:208.67.220.220

218、Destination IP=208.67.220.220(Subsequent Packets)HostSignal LISPPopulate Map-Cache with list of Border NodesEncapsulate and send to Border NodeEdge NodeControl Plane NodeBorder NodeBRKENS-2811167 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub/Sub-Dynamic Default

219、BorderRegistrationRegistrationA Border Node tracks the state of the default route for a given VRF.A Border Node then notifies the Control Plane Node of the state of the default route.DeDe-prioritizationprioritizationA Border Node notifies the Control Plane Node of the loss of the default route.The B

220、order Node registers itself with the Control Plane Node with a LISP Priority of 255.A LISP Priority of 255 indicates the Border Node cannot be used as a Fabric Gateway of Last Resort.Definition of TermsBRKENS-2811168 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Pub

221、/Sub-Dynamic Default BorderDynamic Default Border is enabled by default when we have external borders in the fabric.Dynamic Default Border works only with LISP Pub/Sub-based fabrics.Dynamic Default Border monitors the default route on External Border/s and registers that with Control Plane node/sWit

222、h Dynamic Default Border,if external border/s loses upstream connectivity,fabric Edge nodes will no longer forward traffic to those external borders,and will dynamically detect and forward the traffic via other available external borders With this functionality,traffic within the fabric will quickly

223、 converge minimizing traffic loss towards border and traverse traffic through the other border.This avoids the need of configuring iBGP manually between external borders.With Dynamic Default Border feature fabric edges will not have static“use-petr”anymore instead they will dynamically route the tra

224、ffic to the border with active default route.Depending on the design,Border Node/s are going to register the default route with Local/Transit Control Plane node/sDetailsFor YourReferenceBRKENS-2811169 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access NetworkAcces

225、s Network(Migration Site 4)(Migration Site 4)InternetLISP BGPiBGP-Manual/TemplateseBGP-AutomatedLISP Pub/Sub-Dynamic Default BorderBRKENS-2811170 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access NetworkAccess Network(Migration Site 4)(Migration Site 4)InternetLI

226、SP BGPiBGP-Manual/TemplateseBGP-AutomatedLISP Pub/Sub-Dynamic Default BorderBRKENS-2811171 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access NetworkAccess Network(Migration Site 4)(Migration Site 4)InternetLISP BGPiBGP-Manual/TemplateseBGP-AutomatedLISP Pub/Sub-D

227、ynamic Default BorderBRKENS-2811172 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access NetworkAccess Network(Migration Site 4)(Migration Site 4)InternetLISP Pub/SubEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VNiBGP-Manual/TemplateseBGP-AutomatedLISP Pub/Sub-Dyn

228、amic Default BorderBRKENS-2811173 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access NetworkAccess Network(Migration Site 4)(Migration Site 4)InternetLISP Pub/SubEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VNiBGP-Manual/TemplateseBGP-AutomatedLISP Pub/Sub-Dynam

229、ic Default BorderBRKENS-2811174 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access NetworkAccess Network(Migration Site 4)(Migration Site 4)InternetLISP Pub/SubEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VNiBGP-Manual/TemplateseBGP-AutomatedLISP Pub/Sub-Dynamic

230、 Default BorderBRKENS-2811175LISP Backup Internet 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Backup InternetDynamic Default Border Node Dynamic Default Border Node Border Convergence within a single Fabric Site.Results in the removal of using useuse-petrpetr with

231、in the Fabric Site.Backup InternetBackup InternetEssentially Border Convergence across an SD-Access Transit.Results in the removal of using useuse-petrpetr within the Fabric Domain.LISP Backup Internet builds on top of Dynamic Default Border Node feature.Comparison of FunctionalityComparison of Func

232、tionalityBRKENS-2811177 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access TransitAccess TransitInternetInternetEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCSDSD-Access NetworkAccess Networ

233、k(Migration Site 4)(Migration Site 4)SDSD-Access NetworkAccess Network(Migration Site n)(Migration Site n)eBGP-Automated by DNACLISP Backup InternetBRKENS-2811178 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access TransitAccess TransitInternetInternetEBs-Tracks De

234、fault Route(0.0.0.0/0)Per Layer 3 VN with CP/TCEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCSDSD-Access NetworkAccess Network(Migration Site 4)(Migration Site 4)SDSD-Access NetworkAccess Network(Migration Site n)(Migration Site n)eBGP-Automated by DNACLISP Backup InternetBRKENS-281117

235、9 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access TransitAccess TransitInternetInternetEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCSDSD-Access NetworkAccess Network(Migration Site 4)(Mi

236、gration Site 4)SDSD-Access NetworkAccess Network(Migration Site n)(Migration Site n)eBGP-Automated by DNACLISP Backup InternetBRKENS-2811180 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access TransitAccess TransitInternetInternetEBs-Tracks Default Route(0.0.0.0/0)

237、Per Layer 3 VN with CP/TCEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCSDSD-Access NetworkAccess Network(Migration Site 4)(Migration Site 4)SDSD-Access NetworkAccess Network(Migration Site n)(Migration Site n)eBGP-Automated by DNACLISP Backup InternetBRKENS-2811181 2023 Cisco and/or it

238、s affiliates.All rights reserved.Cisco Public#CiscoLiveSDSD-Access TransitAccess TransitInternetInternetEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCSDSD-Access NetworkAccess Network(Migration Site 4)(Migration Site 4)SDSD-Ac

239、cess NetworkAccess Network(Migration Site n)(Migration Site n)eBGP-Automated by DNACLISP Backup InternetBRKENS-2811182 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLISP Backup InternetIn summary,local Internet is In summary,local Internet is preferred over Backup Intern

240、et preferred over Backup Internet within the Fabric Site.within the Fabric Site.If local Internet is down for the site,then explore other options provided by other fabric sites(Backup Internet).Select this box on Border nodes if we want to share internet access.Key TakeawayKey TakeawayBRKENS-2811183

241、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access TransitInternetInternetEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCSD-Access Network(Migration Site 4)SD-Access Network(Migration Site n)e

242、BGP-Automated by DNACLISP Backup InternetBRKENS-2811184Sample CLI Verification(17.6.2)TCPN-1#show lisp remote-locator-set default-etrs Codes:P =Primary/Direct in use,Backup not availablePB =Primary/Direct in use,Backup availableB =Backup in use,Primary/Direct not availableBP =Backup in use,Primary/D

243、irect availableLISP remote-locator-set default-etr-locator-set-ipv4 InformationRLOC Pri/Wgt/Metric Inst Domain-ID/MH-ID ETR SI/ID192.168.10.1 10/10/0 4099 1301190878/39134 Default PB/-192.168.10.2 10/10/0 4099 1301190878/39134 Default PB/-192.168.20.1 10/10/0 4099 338675736/51224 Default PB/-192.168

244、.20.2 10/10/0 4099 338675736/51224 Default PB/-192.168.10.1192.168.10.2192.168.20.1192.168.20.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access TransitInternetInternetEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCEBs-Tracks Default Route(0.0.0.0/0)P

245、er Layer 3 VN with CP/TCSD-Access Network(Migration Site 4)SD-Access Network(Migration Site n)eBGP-Automated by DNACLISP Backup InternetBRKENS-2811185Sample CLI Verification(17.6.2)192.168.10.1192.168.10.2192.168.20.1192.168.20.2TCPN-1#show lisp remote-locator-set default-etrs Codes:P =Primary/Direc

246、t in use,Backup not availablePB =Primary/Direct in use,Backup availableB =Backup in use,Primary/Direct not availableBP =Backup in use,Primary/Direct availableLISP remote-locator-set default-etr-locator-set-ipv4 InformationRLOC Pri/Wgt/Metric Inst Domain-ID/MH-ID ETR SI/ID192.168.10.1 255/10/0 4099 1

247、301190878/39134 Default B/-192.168.10.2 255/10/0 4099 1301190878/39134 Default B/-192.168.20.1 10/10/0 4099 338675736/51224 Default PB/-192.168.20.2 10/10/0 4099 338675736/51224 Default PB/-LISP Remote Internet 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access Tran

248、sitSD-Access Network(Migration Site n)SD-Access Network(Migration Site 4)InternetInternetRemote SD-Access siteEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCEBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCLISP Remote Internet Remote SD-Access Site uses Internet from either s

249、ite 4 or site n by default if Internet in those sites is sharedBRKENS-2811187LISP Border Node Priority 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access TransitSD-Access Network(Migration Site n)SD-Access Network(Migration Site 4)InternetInternetRemote SD-Access si

250、te6699LISP Border Node PriorityRemote SD-Access Site always prefers Migration Site 4 as LISP priority is lower.Remote SD-Access Site traffic goes via Migration site n only if Site 4 has no internet(default route available)EBs-Tracks Default Route(0.0.0.0/0)Per Layer 3 VN with CP/TCEBs-Tracks Default

251、 Route(0.0.0.0/0)Per Layer 3 VN with CP/TCBRKENS-2811189 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBorder Node Priority UI AutomationCisco SD-Access NetworkVN”Employee”VN“Contractor”InternetBRKENS-2811190 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

252、lic#CiscoLiveBorder Node PrioritySupported from Cisco DNA Center 2.3.3.x.Cisco DNA Center provides users the capability to select a border node to egress the fabric network traffic.Users can set the priority values between 1 and 9(1 is the highest priority and 9 is the lowest.Lower number is the pre

253、ferred Border).By default(if user do not set a priority value),the border is assigned a priority value of 10.If border priorities are not set(or same across Borders),traffic is load balanced across the border nodes.User can modify border node priority in Day N without removing devices from fabric.Th

254、e priority value set for a border is applicable to all the virtual networks that are handed-off from that border.If an SD-Access Transit interconnects the fabric sites,an external border with the Lowest priority is chosen to send traffic to external networks.Supported with both LISP Pub/Sub and LISP

255、 BGP fabrics.DetailsDetailsFor YourReferenceBRKENS-2811191 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessDeep Dive on LISP Architecture:LISP Architecture Evolution LISP Architecture Evolution-New Capabilities Enabling SDNew Capabilities Enabling SD-Access

256、Access-BRKENSBRKENS-28282828Design best Practices:Cisco SDCisco SD-Access Best Practices Access Best Practices-Design and Deployment Design and Deployment-BRKENSBRKENS-25022502For More InformationFor More InformationBRKENS-2811192 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis

257、coLiveTransit Control Plane Node Design Considerations1.1.Device must be dedicated to the transit control plane node role.Device must be dedicated to the transit control plane node role.Example:It cannot also be a fabric border node.2.2.Ideally,device should not be in the data forwarding(transit pat

258、h)between sites.Ideally,device should not be in the data forwarding(transit path)between sites.Treat this like a BGP route reflector.3.3.Deploy a pair of Transit Control Plane Nodes.Deploy a pair of Transit Control Plane Nodes.Always deploy in pairs for fabric domain resiliencyFor YourReferenceBRKEN

259、S-2811193 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access TransitDesign Considerations1.Jumbo Frame SupportMust accommodate frame size large enough for 50-byte VXLAN header2.Commonly Direct or Leased Fiber over a Metro Ethernet(MAN)systemMetro-E,DWDM,Owned or Lea

260、sed Private Circuits,Dark FiberDesigned for MAN,not for WAN unless MTU is sufficient3.IP ReachabilityCommonly an IGP across the circuit.A full mesh of reachability between Loopback 0 between all Border Nodes connected to an SD-Access Transit as well as the associated Transit Control Plane Node.4.Cho

261、ose the LISP mode of operationLISP Pub/SubLISP/BGPFor YourReferenceBRKENS-2811194 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessUsing the SD-Access transit,packets are encapsulated between sites using the fabric VXLAN encapsulation.This natively carries th

262、e macro(VRF)and micro(SGT)policy constructs between fabric sites.Cisco SD-Access transit built with LISP Pub/Sub has built in functionalities such as:Dynamic Default BorderLISP Backup InternetSD-Access ExtranetMulticast over SD-Access TransitLISP Remote Internet(supported with LISP BGP as well)Borde

263、r Priority(supported with LISP BGP as well)All the above functionalities are automated via Cisco DNA CenterSeamless Internet Connectivity Take AwayBRKENS-2811195 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSmall BranchSmall BranchSD-Access Network(Headquarters)SD-Acces

264、s Network(Migration Site 2)SD-Access Network(Migration Site 4)SD-Access Network(Migration Site 3)Seamless InternetSD-Access Network(Migration Site 1)Fabric UnderlayCritical ServicesFirewallWANWANConvention CenterBRKENS-2811196Data CenterISECisco DNACenter DHCP,DNS,AD(Services)2023 Cisco and/or its a

265、ffiliates.All rights reserved.Cisco Public#CiscoLiveProgress ChartBRKENS-2811197Consistent Policy Across Geographic Locations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-WANControl Plane:OMPData Plane:IPSec|MPLSPolicy Plane:CMD in IPSecManagement PlaneCisco vManageC

266、isco SD-Access|Cisco SD-WANSD-AccessControl Plane:LISPData Plane:VXLANPolicy Plane:SGTManagement PlaneCisco DNA CenterHandoffControl Plane:BGPData Plane:VRF-litePolicy Plane:Inline TaggingIndependent DomainsBRKENS-2811199 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive#Ci

267、scoLiveCisco SD-WANMigration Site 3Small Branch 2Small Branch 1BRKENS-2811200 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive#CiscoLiveCisco SD-WANSmall Branch 1Migration Site 3SD-Access Network(Small Branch 2)BRKENS-2811201 2023 Cisco and/or its affiliates.All rights res

268、erved.Cisco Public#CiscoLive#CiscoLiveCisco SD-WANMigration Site 3SD-Access Network(Small Branch 2)SD-Access Network(Small Branch 1)BRKENS-2811202 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive#CiscoLiveCisco SD-WANSD-Access Network(Migration Site 3)SD-Access Network(Sma

269、ll Branch 2)SD-Access Network(Small Branch 1)BRKENS-2811203 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive#CiscoLiveCisco SD-WANIOS XE SD-WANEdge Router SD-Access Network(Migration Site 3)SD-Access Network(Small Branch 2)SD-Access Network(Small Branch 1)BRKENS-2811204 20

270、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive#CiscoLiveCisco SD-WANSD-Access Network(Migration Site 3)SD-Access Network(Small Branch 2)SD-Access Network(Small Branch 1)Policy ConstructsSent and ReceivedBRKENS-2811205 2023 Cisco and/or its affiliates.All rights reserved.Ci

271、sco Public#CiscoLiveCisco SD-WANPolicy ConstructsSent and ReceivedSD-Access Network(Small Branch 2)SD-Access Network(Small Branch 1)SD-Access Network(Migration Site 3)BRKENS-2811206 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-WAN Transit provides capability to

272、 carry VN and SGT across WAN Transport.Key Considerations:Fabric Site network requirementsBorder,WAN Edge platform capabilities.Multisite Deployment with SD-WAN TransitCisco SD-Access Deployment Cisco SD-WAN solution,powered by Cisco IOS-XE software provides highly secure and reliable WAN overlay to

273、pologies.IOS-XE WAN Edge devices provides flexibility to add-on security capabilities as Direct Internet Access(DIA),Application-Aware routing,Firewall,IPS and more.Cisco SD-Access provides flexibility to deploy integrated LAN and Wireless with consistent policy at scale.Cisco SD-Access and SD-WAN c

274、an be deployed with:With IndependentIndependent-DomainDomain:DNA Center are vManage are not integrated.SDSD-WAN WAN TransitIPSec to carry VPN,SGTSD-WAN ControllersFor YourReferenceBRKENS-2811207 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access DeploymentCisc

275、o SDA|SDWAN Independent Deployment Cisco SD-WAN WAN Edge and SD-Access Border node are different devices,managed by respective domain controllers.Macro-segmentation(VN)is maintained with IP-Handoff between Fabric Border node and WAN Edge device.Micro-segmentation(SGT)is shared with Cisco TrustSec In

276、line tagging.This requires the WAN Edge router and the interface to support TrustSec.For YourReferenceMore Details:Cisco Intent Based Cross and Multidomain Integrations for SDA and SDCisco Intent Based Cross and Multidomain Integrations for SDA and SD-WAN WAN-BRKXARBRKXAR-20012001BRKENS-2811208 2023

277、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEthernet Frame with SGT(Inline Tagging)Destination MACSource MAC802.1Q TagCisco Metadata(CMD)EtherType 0 x8909PayloadFCSCMD EtherTypeVersionLengthSGT Opt TypeSGT Value(16 bits)Other CMD OptionsIndependent DomainsThe SD-Access Bor

278、der node connects to the IOS XE WAN Edge with 802.1Q trunk.This maps the Fabric VNs(VRFs)into SD-WAN VPNs.The SGT is populated in the CMD field of the Ethernet frame by the SD-Access Border Node.It is taken out of the Fabric VXLAN header and put in the frame via inline tagging.The IOS XE WAN Edge re

279、ceives the SGT from this frame and encodes it into the MDATA header.Inline Tagging802.1QVLAN ID(12 bits)SGT(16 bits)NoteNote:The LAN interface of the Router needs to support inline SGT TaggingFor YourReferenceBRKENS-2811209 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveC

280、isco SD-Access to SD-WANIndependent DomainsSD-Access Fabric SiteSD-Access Fabric SiteSD-WAN FabricLISPVXLAN HeaderVNID(24 bits)SGT(16 bits)OMPIPSec HeaderMPLS LabelsVPN (20 bits)CMD HeaderSGT(16 bits)CONTROL PLANEDATA PLANELISPVXLAN HeaderVNID(24 bits)SGT(16 bits)802.1QVLAN ID(12 bits)SGT(16 bits)BG

281、PVRF-lite802.1QVLAN ID(12 bits)SGT(16 bits)BGPVRF-liteInline TaggingInline TaggingSD-WAN ControllersMANAGEMENT MANAGEMENT MANAGEMENT Cisco DNA cluster and ISEIDENTITY and GROUP-BASED POLICY IDENTITY and GROUP-BASED POLICY Cisco DNA cluster and ISEWAN EdgeWAN EdgeBRKENS-2811210 2023 Cisco and/or its

282、affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access Network(Migration Site 1)SD-Access Network(Headquarters)SD-Access Network(Migration Site 2)SD-Access Network(Migration Site 4)SD-Access Network(Migration Site 3)Seamless InternetFabric UnderlayCritical ServicesFirewallWANWANConvention Ce

283、nterSD-Access Network(Small Branch 2)SD-Access Network(Small Branch 1)BRKENS-2811211Data CenterISECisco DNACenter DHCP,DNS,AD(Services)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProgress ChartBRKENS-2811212 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

284、blic#CiscoLiveBRKENS-2811213 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Software-Defined Access Enabling intent-based networkingCisco Software-Defined Access for Industry Verticals Cisco SD-Access CollateralsBRKENS-2811214 SD-Access At-A-Glance SD-Access Orderin

285、g Guide SD-Access Solution Overview SD-Access YouTube Channel*New*SD-Access Design Tool EN&C Validated DesignsSDSD-Access ResourcesAccess Resources 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access Platform SupportCisco DNA Center Data SheetPlatform support based o

286、n the Fabric RolePlatform support based on the Fabric RoleSupported Hardware and Software Version for all Cisco SDSupported Hardware and Software Version for all Cisco SD-Access componentsAccess componentsFor more details:Cisco Software-Defined Access Compatibility MatrixBRKENS-2811215 2023 Cisco an

287、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Scale DetailsFor more details:Cisco DNA Center Data SheetBRKENS-2811216 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummary and Whats NextThank you.We cant do this without you!Keep sharing th

288、e feedback.We are listening.Ask the Cisco Sales or CX teams for help.Ask questions on the Cisco SD-Access communities:http:/cs.co/sda-communityGo Cisco SD-Access!BRKENS-2811217 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill

289、 out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every

290、 survey completed.BRKENS-2811218 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-D

291、emand Library for more sessions at www.CiscoL you#CiscoLive#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive222Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234222 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-2811