Cisco Campus Fabric Introduction

Vedran Hafner
Systems engineer
Cisco
Campus Fabric
Abstract

Is your Campus network facing some, or all, of these challenges?

• Host Mobility (w/o stretching VLANs)

• Network Segmentation (w/o implementing MPLS)
• Role-based Access Control (w/o end-to-end TrustSec)

Using Cisco technologies available today, you can overcome these challenges
and build an “Evolved” Campus Network to better meet your business objectives.

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 3

Agenda

1 Key Benefits
Why do I care?

2 Key Concepts
What is a Fabric?

3 Solution Overview
What are the components?

4 Putting It Together
How do I build it?

5 Use Case
 Key Benefits

Key Concepts

Solution Overview

Putting It Together

Key Benefits Use Case

Why do I care ?
Cisco Digital Network Architecture
Overview

Network-enabled Applications

Cloud Service Management

Policy | Orchestration
Insights &
Open APIs | Developers Environment
Experiences
Automation Analytics
Principles Automation
Abstraction & Policy Control Network Data,
from Core to Edge Contextual Insights & Assurance

Open & Programmable | Standards-Based Security &

Virtualization Compliance
Physical & Virtual Infrastructure | App Hosting

Cloud-enabled | Software-delivered

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 6

Campus Fabric Foundational Technologies

Programmable Custom ASICs Converged Software Services

Industry Leading
Wired and Wireless | Stacking | TrustSec | SDN
+ Network Enabled Applications
Collaboration | Mobility | IoT | Security
`
Advanced Functionality Automation
Programmable Pipeline | Flexibility | Recirculation Programmable | Open

Optimized for Campus Virtualization

Integrated Stacking | Visibility | Security Campus Fabric | Segmentation | L2 Flexibility

Future Proofed Designed for Evolution

Long Life Cycle | Investment Protection Strong Foundational Capabilities | HA

Driving Innovation Through Technology

| Investment
5 - 7 April 2017 | Cisco Connect Pula, Croatia 7
 Simplified Provisioning
Provision Deploy devices using “best practice”
configurations using models and Smart CLI
5 - 7 April 2017 | Cisco Connect | Pula,BRKCRS-1800
Croatia 8
 X Simple Segmentation constructs
Segmentation Security to build Secure boundaries for “users and things”
5 - 7 April 2017 | Cisco Connect | Pula,BRKCRS-1800
Croatia 9
 Wired and Wireless
Host Mobility
Mobility because your address is no longer tied to your location
5 - 7 April 2017 | Cisco Connect | Pula,BRKCRS-1800
Croatia 10
 Network Wide

Intelligent
Policy Enforcement
Policy based on your identity, not on your address
5 - 7 April 2017 | Cisco Connect | Pula,BRKCRS-1800
Croatia 11
 Key Benefits

Key Concepts

Solution Overview

Putting It Together

Key Concepts Use Case

What is a Fabric?
What exactly is a Fabric?

A Fabric is an Overlay
An “Overlay” is a logical topology used to virtually connect devices, built
on top of an arbitrary physical “Underlay” topology.
An “Overlay” network often uses alternate forwarding attributes to provide
additional services, not provided by the “Underlay”.

Examples of Network Overlays

• GRE or mGRE • LISP
• MPLS or VPLS • OTV
• IPSec or DMVPN • DFA
• CAPWAP • ACI

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 13

What exactly is a Fabric?
Why Overlays?

Separate the Forwarding Plane from the Services Plane

Simple Transport Forwarding Flexible Virtual Services

– Physical Devices and Paths – Mobility – Track End-points at Edges
– Intelligent Packet Handling – Scalability – Reduce core state
§ Distribute state to network edge
– Maximize Network Availability
– Simple and Manageable – Flexibility and Programmability
§ Reduced number of touch points

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 14

What exactly is a Fabric?
Overlay Terminology

Overlay Network Overlay Control Plane

Encapsulation

Edge Device Edge Device

Hosts
(End-Points)

Underlay Network Underlay Control Plane

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 15

What exactly is a Fabric?
Types of Overlays

Hybrid L2 + L3 Overlays offer the Best of Both Worlds

Layer 2 Overlays Layer 3 Overlays

• Emulates a LAN segment • Abstract IP connectivity
• Transport Ethernet Frames (IP & Non-IP) • Transport IP Packets (IPv4 & IPv6)
• Single subnet mobility (L2 domain) • Full mobility regardless of Gateway
• Exposure to Layer 2 flooding • Contain network related failures (floods)
• Useful in emulating physical topologies • Useful to abstract connectivity and policy

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 16

What is unique about Campus Fabric?
Key Differences

1. LISP based Control-Plane

2. VXLAN based Data-Plane
3. Integrated Cisco TrustSec
5 - 7 April 2017
Key Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (No Static)
• No Topology Limitations (Basic IP)
| Cisco Connect | Pula, Croatia 17
Campus Fabric
New Terminology

• “Control-Plane Node” ≈ “LISP Map-Server”

• “Edge Node” ≈ “LISP Tunnel Router” (xTR)

• “Border Node” ≈ “LISP Proxy Tunnel Router” (PxTR)

• “Intermediate Node” ≈ “Non-LISP IP Forwarder”

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 18

Campus Fabric Overview
New Terminology

• “Fabric Domain” ≈ “FD” ≈ “LISP Process”

• “Virtual Network” ≈ “VN” ≈ “LISP Instance” ≈ “VRF”

• “Endpoint ID Group” ≈ “EIG” ≈ “Segment” ≈ “SGT”

• “Host Pool” ≈ “Dynamic EID” ≈ “VLAN + IP Subnet”

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 19

 Key Benefits

Key Concepts

Solution Overview

Putting It Together

Solution Overview Use Case

What are the components ?

Locator / ID Separation VXLAN
Protocol (LISP) Encapsulation

Cisco
TrustSec
What is LISP?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 21

Locator/ID Separation Protocol (LISP)

A routing Architecture
Separate address spaces for Identity EID
and Location EID
End-point Identifiers (EID)
Routing locators (RLOC) EID
Mapping
System
A Control Plane Protocol RLOC
A system that maps end-point
identities to their current location
(RLOC) EID
EID EID
A Data Plane Protocol
Encapsulates EID-addressed packets
inside RLOC-addressed headers
5 - 7 April 2017 | Cisco Connect | Pula, Croatia 22
Locator / ID Separation Protocol
Location and Identity Separation

Traditional Behavior -
Location + ID are “Combined”
IP core
When the Device moves, it gets a
10.1.0.1
new IPv4 or IPv6 Address for its new
Device IPv4 or IPv6 Identity and Location
Address represents both 20.2.0.9
Identity and Location

Overlay Behavior -
Location & ID are “Separated”
IP core
10.1.0.1 When the Device moves, it keeps
the same IPv4 or IPv6 Address.
Device IPv4 or IPv6 It has the Same Identity
Address represents 10.1.0.1
Identity only

Location Is Here Only the Location Changes

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 23

How is LISP used in
Campus Fabric?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 24

Campus Fabric
Control-Plane Nodes – A Closer Look

Fabric Control-Plane Node is based on a LISP Map Server / Resolver

Runs the LISP Host Tracking Database to provide overlay reachability information

• A simple Host Database, that tracks Endpoint ID to

Edge Node bindings, along with other attributes C

• Host Database supports multiple Endpoint ID lookup

keys (IPv4 /32, IPv6 /128 or MAC)

• Receives prefix registrations from Edge Nodes with

local Endpoints

• Resolves lookup requests from remote Edge Nodes,

to locate local Endpoints

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 25

Campus Fabric
Edge Nodes – A Closer Look

Fabric Edge Node is based on a LISP Tunnel Router (xTR)

Provides connectivity for Users and Devices connected to the Fabric

• Responsible for Identifying and Authenticating Endpoints

• Register Endpoint ID information with the Control-Plane

Node(s)

• Provides Anycast L3 Gateway for connected Endpoints

• Must encapsulate / decapsulate host traffic to and from

Endpoints connected to the Fabric

E E E

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 26

Campus Fabric
Border Nodes – A Closer Look

Fabric Border Node is based on a LISP Proxy Tunnel Router (PxTR)

All traffic entering or leaving the Fabric goes through this type of node

• Connects traditional L3 networks and / or different

Fabric domains to the local domain

• Where two domains exchange Endpoint reachability B B

and policy information

• Responsible for translation of context (VRF and SGT)

from one domain to another

• Provides a domain exit point for all Edge Nodes

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 27

LISP Mobility in Campus Fabric

Host Pool is based on an IP Subnet + VLAN ID

Provides the basic IP constructs, including “Anycast Gateway” for each Host Pool

• Edge Nodes maintain a Switch Virtual Interface (SVI),

with IP Subnet, Gateway IP, etc. for each Host Pool

• LISP uses Dynamic EID to advertise each Host Pool

(within each Instance ID)
Pool Pool Pool
• LISP Dynamic EID allows Host-specific (/32, /128, 1 4 7
Pool Pool Pool Pool Pool Pool
MAC) advertisement and mobility 2 3 5 6 8 9

• Host Pools can either be assigned Statically (per port)

or Dynamically (using Host Authentication)

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 28

LISP Secure Segmentation in Campus Fabric

Virtual Network (VN) based on Virtual Routing and Forwarding (VRF)

Maintains a separate Routing and Switching instance for each Virtual Network

• LISP uses Instance ID to maintain independent VRF

topologies (“Default” VRF is Instance ID “0”)

• LISP adds VNID to the LISP / VXLAN encapsulation

• Endpoint ID prefixes (Host Pools) are advertised

within the LISP Instance ID VN VN VN
“A” “B” “C”

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 29

How does LISP
work?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 30

Locator / ID Separation Protocol
LISP Mapping System

LISP “Mapping System” is analogous to a DNS lookup

‒ DNS resolves IP Addresses for queried Name Answers the “WHO IS” question

[ Who is lisp.cisco.com ] ?
DNS
DNS Name -to- IP
Host Server URL Resolution
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]

‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question

[ Where is 2610:D0:110C:1::3 ] ?
LISP
LISP LISP Map
Router System ID -to- Locator
Map Resolution
[ Locator is 128.107.81.169, 128.107.81.170 ]

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 31

Want to know more
about LISP?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 32

Locator / ID Separation Protocol (LISP)
Would you like to know more?

At Cisco Live Berlin 2017 – www.ciscolive.com

BRKRST-3800 - DNA Campus Fabric – A Look Under the Hood
BRKRST-3045 - LISP - A Next Generation Networking Architecture
BRKRST-3047 - Troubleshooting LISP
LTRDCT-2224 - Enhancing VXLAN/EVPN Fabrics with LISP

Other References
Cisco LISP Site http://lisp.cisco.com
Cisco LISP Marketing Site http://www.cisco.com/go/lisp/
LISP Beta Network Site http://www.lisp4.net or http://www.lisp6.net
IETF LISP Working Group http://tools.ietf.org/wg/lisp/
Fundamentals of LISP https://www.youtube.com/watch?v=lKrV1qB8uqA

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 33

 Key Benefits

Key Concepts

Solution Overview

Putting It Together

Solution Overview Use Case

What are the components ?

Locator / ID VXLAN
Separation Protocol Encapsulation

Cisco
TrustSec

3
4
What is Cisco
TrustSec (CTS)?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 35

Cisco TrustSec
Traditional segmentation is extremely complex
Applications

Enforcement
access-list
access-list
102
102
deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
IP Based Policies -
access-list
access-list
102
102
permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
ACLs, Firewall Rules
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list
access-list
102
102
deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 Propagation
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 Carry “Segment”
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 Enterprise
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Backbone context through the
network using VLAN,
Aggregation Layer IP address, VRF
Static ACL Limits of Traditional VACL

Routing Segmentation
Access Layer Classification
Redundancy • Security Policy based Static or Dynamic
DHCP Scope on Topology (Address) VLAN assignments
Address • High cost and
VLAN complex maintenance Non-Compliant Voice Employee Supplier BYOD

Quarantine Voice Data Guest BYOD

VLAN VLAN VLAN VLAN VLAN

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 36

Cisco TrustSec
Simplified segmentation with Group Based Policy

Enforcement
Shared Application
Group Based Policies Services Servers
ACLs, Firewall Rules

Enforcement DC Switch
or Firewall
Propagation
Carry “Group” context
through the network Enterprise
using only SGT Backbone
ISE

Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments

Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag

VLAN A VLAN B

5 - 7 April 2017 | Cisco Connect | Pula,BRKCRS-1800

Croatia 37
How is Cisco
TrustSec used in
Campus Fabric?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 38

 Cisco Trust Security
Identity Services Engine enables CTS
NDAC
Network Device
Admission Control
NDAC authenticates
Network Devices for a
Scalable Group ACL Cisco ISE Scalable Group Tags
trusted CTS domain
Destinations SGACL - SGT and 3: Employee
Name Table SGT Names
Sources
✕ ✓✕ ✓ ✓ ✓ 4: Contractors
SGT and SGT Names
Centrally defined ✓ ✓✕ ✓ ✕ ✕ 8: PCI_Servers
Endpoint ID Groups ✕ ✓✓ ✕ ✕ ✕ 9: App_Servers

SGACL - Name Table

Policy matrix to be
pushed down to the
network devices

ISE dynamically Rogue

authenticates endpoint Device(s) 802.1X Dynamic SGT Static SGT
Assignment Assignment
users and devices,
and assigns SGTs

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 39

Campus Fabric
Endpoint ID Groups – A Closer Look

Endpoint ID Group is based on a Scalable Group Tag (SGT)

Each User or Device is assigned to a unique Endpoint ID Group (EIG)

• CTS uses Endpoint ID “Groups” to assign a unique

Scalable Group Tag (SGT) to Host Pools

• LISP adds SGT to the LISP / VXLAN encapsulation

• CTS EIGs are used to manage address-independent EIG EIG EIG

“Group-Based Policies” 1 4 7
EIG EIG EIG EIG EIG EIG
2 3 5 6 8 9
• Individual Edge and Border Nodes use SGT to
enforce local Scalable Group ACLs (SGACLs)

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 40

Want to know more
about TrustSec?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 41

Cisco Trust Security (CTS)
Would you like to know more?

At Cisco Live Berlin 2017 – www.ciscolive.com

BRKCOC-2255 - Inside Cisco IT: How Cisco deployed ISE and TrustSec, globally
BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation
TECSEC-2222 - Securing Networks with Cisco TrustSec

Other References
Cisco TrustSec Marketing Site
Cisco TrustSec Config Guide
CTS Architecture Overview
CTS 2.0 Design Guide
Fundamentals of TrustSec
http://www.cisco.com/go/trustsec/
cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html
cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
cisco.com/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf
https://www.youtube.com/watch?v=78-GV7Pz18I

5 - 7 April 2017 | Cisco Connect | Pula,BRKCRS-1800

Croatia 42
 Key Benefits

Key Concepts

Solution Overview

Putting It Together

Use Case

Solution Overview
What are the components ?
Locator / ID Virtual Extenible LAN
Separation Protocol (VXLAN) Encapsulation

Cisco
TrustSec
What is Virtual
Extensible LAN
(VXLAN)
Encapsulation?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 44

VXLAN Encapsulation

VXLAN is the Data Plane

ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay
PACKET IN LISP
ETHERNET IP UDP LISP IP PAYLOAD

Supports L2
and L3
PACKET IN Overlay
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN

5 - 7 April 2017 | Cisco Connect | Pula,BRKCRS-1800

Croatia 45
Data-Plane Overview
Fabric Header Encapsulation

Inner
Fabric Data-Plane provides the following:
– Underlay address advertisement and mapping

Outer
– Automatic tunnel setup (Virtual Tunnel End-Points)
– Frame encapsulation between Routing Locators

Support for LISP or VXLAN header format Decap

Outer
– Nearly the same, with different fields and payload

Inner

Inner
– LISP header carries IP payload (IP in IP)
– VXLAN header carries MAC payload (MAC in IP)

Triggered by LISP Control-Plane events Encap

– ARP or NDP Learning on L3 Gateways
– Map-Reply or Cache on Routing Locators

Inner
5 - 7 April 2017 | Cisco Connect | Pula, Croatia 46
 Key Benefits

Key Concepts

Solution Overview
Putting It Together Putting It Together

How do I build it? Use Case

What Cisco switches
support Campus
fabric?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 48

Platform Support
Fabric Edge Nodes - Options

Catalyst 3K Catalyst 4K

• Catalyst 3650 • Catalyst 4500

• Catalyst 3850 • Sup8E (Uplinks)
• 1G/MGIG (Copper) • 4700 Cards
• IOS-XE 16.3.1+ • IOS-XE 3.9.1+

5 - 7 April 2017 | Cisco Connect | Pula, Croatia

Platform Support
Fabric Border Nodes - Options

Catalyst 3K Catalyst 6K ASR1K & ISR4K Nexus 7K

• Catalyst 3850 • Catalyst 6800 • ASR1000-X • Nexus 7700

• 12/24 or 48XS • Sup2T or 6T • ISR4430/4450 • Sup2E
• 1/10G (Fiber) • 6880 or 6840-X • X or HX Series • M3 Cards
• IOS-XE 16.3.1+ • IOS 15.4.1SY+ • IOS-XE 16.4.1+ • NXOS 7.3.2+

5 - 7 April 2017 | Cisco Connect | Pula, Croatia

Platform Support
Fabric Control-Plane - Options

Catalyst 3K Catalyst 6K ASR1K & ISR4K

• Catalyst 3850 • Catalyst 6800 • ASR1000-X

• 12/24 or 48XS • Sup2T or 6T • ISR4430/4450
• 1/10G (Fiber) • 6880 or 6840-X • X or HX Series
• IOS-XE 16.3.1+ • IOS 15.4.1SY+ • IOS-XE 16.4.1+

5 - 7 April 2017 | Cisco Connect | Pula, Croatia

How do I configure
Campus Fabric?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 52

Campus Fabric - Smart CLI
Provisioning and Troubleshooting Made Simple

What is Smart CLI?

• Its a new configuration mode to simplify config
and management of Campus Fabric

• Invoked by a new Global command “fabric auto”

fabric_device(config)# fabric auto
• Provides a simple set of easy-to-understand CLI

• Auto-generates all of the equivalent (traditional)

LISP, VRF, IP, CTS, etc. CLI commands

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 53

Smart CLI – Example
Adding a new Edge Node

§ Generate all LISP XTR baseline configs

§ Set up Loopback0 as locator address
§ Creates default neighborhood as instance ID 0
§ Enables VXLAN encapsulation
§ Adds SGT to VXLAN encapsulation

Edge(config)# fabric auto

Edge(config-fabric-auto)# domain default
Edge(config-fabric-auto-domain)# control-plane 2.2.2.2 auth-key key1
Edge(config-fabric-auto-domain)# border 4.4.4.4
Edge(config-fabric-auto-domain)# exit

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 54

Smart CLI – Example
Show Fabric Domain

Edge# show fabric domain

Fabric Domain : "default"
Role : Edge
Control-Plane Service: Disabled
Border Service: Disabled

Number of Control-Plane Nodes: 1

IP Address Auth-key
---------------------------------
2.2.2.2 key1

Number of Border Nodes: 1

IP Address
--------------------------------- § Shows current domain (default)
4.4.4.4 § Shows current Role(s)
Number of Neighborhood(s): 4 § Shows Control-Plane Node(s)
Name ID Host-pools
---------------------------------------------
§ Shows Border Node(s)
default 0 2 § Shows Virtual Network(s)
guest 50 1
pcie 60 1 § Associated Host Pool(s)
cisco 70 *

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 55

Campus Fabric - Smart CLI
Provisioning and Troubleshooting Made Simple

More to Come! J
• Underlay Network – Configure the Interfaces
and Protocols to bring up the Underlay network

• Endpoint ID Groups – Configure the AAA and

CTS commands for Static & Dynamic ID
fabric_device(config)# fabric auto

• Group Based Policy – Configure SGT and

SGACL policies

• And More…
5 - 7 April 2017 | Cisco Connect | Pula, Croatia 56
 Key Benefits

Key Concepts

Solution Overview

Putting It Together

Use Case

Use Case
OK, now that I’ve
seen all this, why
might I use this in my
network?

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 58

EU Regulatory Compliance -GDPR

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 59

Use Case – Comply with GDPR

VLAN 1 VLAN 2 VLAN 3

HQ

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 60

Use Case – Comply with GDPR

VN “Corp” VN “IoT” VN “Guest”

5 - 7 April 2017 | Cisco Connect | Pula, Croatia 61

Take-Away
What to do next?

1. Update your Hardware and Software!

• Catalyst 3650 or 3850 - New IOS-XE 16.3+
• Catalyst 4500 w/ Sup8E - New IOS-XE 3.9+
• Catalyst 6807, 6880 or 6840 - New IOS 15.4SY+
• Nexus 7700 w/ M3 Cards - New NX-OS 7.3.2+
• ASR1000-X or ISR4400 - New IOS-XE 16.4+

2. Try out “Campus Fabric” in your Lab!

• You only need 2 or 3 (+) switches to test this solution
• At least 1 Control-Plane + Border and 1 Fabric Edge

IP Network
3. Trial Deployments (Remember: its an Overlay)
• You can install new C-Plane, Border and Edge Nodes
without modifying your existing (Underlay) network

5 - 7 April 2017 | Cisco Connect | Pula, Croatia

Campus Fabric CVD on Cisco.com

5 - 7 April 2017 | Cisco Connect | Pula, Croatia