BRKSDN 2500

Real World Use Cases for Deploying
and Operating Cisco SD-Access

Using Cisco DNA Center
Peter Fuchs, Technical Solutions Architect

Patrick Mosimann, Technical Solutions Architect
Ivan Caduff, Solutions Architect
BRKSDN-2500
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKSDN-2500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Summit
Step 3: Summit Icefield
Cisco SD-Access Step 2: Shoulder

journey is like
climbing a Step 1: Solvay Hut
mountain, small
steps will bring you
to the top!
Basecamp: Hörnlihut
Matterhorn
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Customer Use Case:
Setup a branch site remotely
•
• A view from a customer
Looking back to what has Pack your
•
changed since last year
Lessons learned & best practices backpack
• Top of mind 🤯🤯 challenges and
approach how to solve
• Some DO’s DONT’s
• NO marketing
What’s not
-> World of Solutions
• NO TAC
in the •
-> BRKOPS-2826
NO implementation guide
backpack • NO lab
-> BRKNMS-2426
-> LTRNMS-2500
-> LTRNMS-2043
-> LTRCRS-2109
Customer Use Case:
Setup a branch site
remotely
Customer Use Case
About Oerlikon:
Global footprint of more than 10’500
employees at 175 locations in 37
countries.
Surface Solution Syntetic Fibers
Customer Use Case
Use Case:
• consolidated overview (visibility)
• new technical requirements

(security, traffic patterns)
• strong focus on cloud-based

services
Customer Use Case
Challenge:
small team to manage
175 locations in
37 countries
Customer Use Case
Challenge:
small team to manage
175 locations in
37 countries
Robert de Meyer
Network Administrator
Oerlikon IT Solutions
Customer Use Case
Lessons learned:
• Use automation with a
programmable central
orchestration tool
• Ship hardware directly to the
branch site without pre
configuration
• Limited IT know-how on site
Customer Use Case
Lessons learned:
• Build a backbone with the
possibility of macro segmentation
• Hardware dependency (max. 4
VN’s possible on Catalyst 9200)
Customer Use Case
Lessons learned:
• Categorize your setups
• Make your IP Design based on
categories and region
• Fixed CIDRs for each VN
• Build summaries for different regions
Demo
Summit

journey is like
mountain, small
to the top!
Matterhorn
Looking back…
…looking back to last year
Basecamp
PnP Agent - device cleanup

Cleanup of pre-configured device
Solved since Cisco IOS XE Fuji 16.8.1a

with command:
factory-reset {all | config | boot-vars}
factory-reset command
R6HE18_Fusion1#factory-reset ?
all All factory reset operations Available since:
boot-vars Reset user added boot variables Cisco IOS XE Fuji 16.8.1a
config Reset config
all removes ALL (config, boot-variables AND images in flash)

boot-vars removes the boot-variables
config removes the config, including vlan.dat, crypto PKI, crypto-key, pnp profile,
certificates in nvram:
INFO:
R7HE05-C9300-48P-2Stack#factory-reset config
The factory reset operation is irreversible for erasing configuration. Are you sure? [confirm]
Factory-reset cli not supported in stacking mode.
Basecamp
Routing from DNAC/DHCP to your fabric is

working
This is not a DNAC task, but a «prepare

your trip» task. Verify the routing towards
your border for the IP pools assigned
Basecamp
Configuring additional links after LAN Automation

was performed Workaround available with defining
primary and peer device in LAN
Automation, start, wait 2 minutes
B C B C and stop.
See Appendix for detailed steps or
CCO:
https://www.cisco.com/c/en/us/td/docs/cloud-systems-
management/network-automation-and-management/dna-
center/tech_notes/b_dnac_sda_lan_automation_deployme
nt.html#id_89815
E E E
Summit

journey is like
mountain, small
to the top!
Matterhorn
Hörnlihut
Certificates
Shoulder
Solvay Hut
Summit
Summit Icefield
Presentation © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Certificates Plan your trip
PRE-PRODUCTION
Use Case: Cisco DNA Center Core TM
You have deployed your DNAC in your PRE-

PRODUCTION in order to test and verify the solution. Self-Signed
In order to test some of the Assurance functions with
real data, you have included some production B C B C
switches in the inventory.
E E E
PRODUCTION PRE-PRODUCTION
CA
Core
Challenge: Cisco DNA CenterTM
You are happy with the results and want Self-Signed

to move the DNAC to PRODUCTION.
C
However, this requires new CA signed
B C B
certificates.
Result will be:

- WLC connection will be broken
- ISE connection will be broken
- HTTPS to DNAC is broken (REST API) E E E
PRODUCTION PRE-PRODUCTION
CA
Core
Cisco DNA CenterTM

Lessons learned:
Start with your enterprise or external CA
certificates from day-0. Same applies for all B C B C
certificates (DNAC, ISE, WLC, etc.).
If you plan to use external

signed certificates, do it
from day-0
E E E
Certificate check-list Reference
Tips and Tricks
 Plan for your DNAC cluster (add all IP’s in the certificate)
 Ensure your CA provider allows RFC1918 addresses
IMPORTANT: Best Practice for certificate management including

examples:
https://www.cisco.com/c/en/us/td/docs/cloud-systems-
management/network-automation-and-management/dna-
center/hardening_guide/b_dnac_security_best_practices_guide.ht
ml
DNAC Site Hörnlihut
Elements
Shoulder
Solvay Hut
Summit
Summit Icefield
DNAC Site Elements Plan your trip
Demystify the site elements
Use Case:
There is a scale limit on the number of site elements
(Version 1.3):
DN2-HW-APL DN2-HW-APL-L DN2-HW-APL-XL
(entry) (mid-size) (large)
Number of site 500 1’000 2’000
elements
Source:
https://www.cisco.com/c/en/us/products/collateral/cloud-
systems-management/dna-center/nb-06-dna-center-data-
sheet-cte-en.html
Challenge:
You want to plan your network hierarchy
and create elements without hitting the
limit.
🧐🧐
Lessons learned:
1.
Every element under the “Global” hierarchy 2.
which is either a building or a floor is 3.
considered as “site element” and counts 4.
5.
against the limit mentioned in the Data Sheet. 6.
7.
8.
9.
10.
11.
Lessons learned:
1.
Every element under the “Global” hierarchy 2.
which is either a building or a floor is 3.
considered as “site element” and counts 4.
5.
against the limit mentioned in the Data Sheet. 6.
7.
8.
9.
🤯🤯
Whaaaaaaat?
10.
11.
Summit
Step 2: Shoulder
Use Case: Step 1: Solvay Hut
STACK LAN
Automation
Matterhorn
Basecamp
LAN Automation with Stacks
Use a stack of switches within the Fabric Core
Use Case:
Because of limited uplinks to your Border B C B C
or Intermediate switch you want to use a
stack
Basecamp
PnP/LAN Automation Core
Challenge:
LAN Automation is based on PnP but not C
B C B
the same – some Functionality is not
given in LAN Automation
Basecamp
PnP/LAN Automation Core
3 options
B C B C
• Power on in order
• Power on in any order and fix it
• Ramp up your stack
Basecamp
Build your stack - option 1/3 Core
Power on in order: B C B C
Turn on your switches in the order you

want to have them in the stack.
Start with the switch that you want to
become switch 1, after 20 seconds
power on the 2nd one and so on.
Basecamp

1
2
Basecamp

1
2
3
Basecamp

1
2
3
4
Basecamp

As soon as your stack is complete run

LAN Automation 1
2
3
4
Basecamp
Power on in any order and fix it:

The switches are already running; you
C
renumber them using a console cable B C B
Stack_1#switch 4 renumber 2
To verify which switch you are handling you

might use
Stack_1#hw-module
beacon slot 1 on
1
4
3
2
Basecamp

The switches are already running; you
C
renumber them using a console cable B C B
Stack_1#switch 4 renumber 2
To verify which switch you are handling you

might use
Stack_1#hw-module
beacon slot 1 on
1
2
3
4
LAN Automation with Stacks Reference
Tips and Tricks Core
Operator in front of the switch can press beacon button

Stack_1#sh beacon
show command to Switch# Beacon Status B C B C
Verify LED status -----------------------

*1 OFF
2 ON
3 OFF
4 OFF
You can turn it on via command line as well

Stack_1#hw-module beacon slot 1 on
LAN Automation with Stacks Reference
Tips and Tricks
stack-1#show switch stack-ports summary
Sw#/Port# Port Status Neighbor Cable Length Link OK Link Active Sync OK #Changes to LinkOK In Loopback
-------------------------------------------------------------------------------------------------------------------
1/1 OK 4 100cm Yes Yes Yes 1 No
Configure switch number, role and priority with the following commands
stack-1#switch 1 renumber ?
<1-8> New number of the Switch
stack-1#switch 1 role ?
active Set the new switch to 1+1 active mode
standby Set the new switch to 1+1 standby mode
stack-1#switch 1 priority ?
<1-15> Switch Priority
Basecamp

When your switches are in the right
C
order delete the config (use the script) B C B
and restart
R7HE05-C9300-48P-2Stack#factory-reset config
Factory-reset cli not supported in stacking mode.
Basecamp

When your switches are in the right order
C
delete the config (use the script) and B C B
restart
Now you are ready to run LAN Automation
Basecamp
Ramp up your stack:

Start with a single unit, do LAN
C
Automation on it B C B
Basecamp
Ramp up your stack:

C
Basecamp
Ramp up your stack:

C
After LAN Automation you add additional

switches to your stack
Basecamp
Ramp up your stack:

Resync the device when you have added
C
the last switch in the stack B C B
If you want to add an additional uplink,

default the port config and use the
workaround that has been presented
previously
Basecamp
Core
Lessons learned:
There are still use cases for stacks B C B C
You have different options to build the stack,

even growing slowly is possible using the
workaround to address links afterwards
E E E
Summit
Step 2: Shoulder
L2 Border – your
connectivity to the
non-SDA network Basecamp: Hörnlihut
Matterhorn
L2 Handoff Step 1
How to extend existing VLAN into SDA fabric Core
Use Case:
Extend an existing VLAN/IP Pool from B C B C
non-SDA environment to your SDA fabric

L2border
E E E
VLAN 36
10.0.42.0/24
L2 Handoff Step 1
Gateway
Challenge: B C B C
Migration of endpoints from non-SDA

environment to your SDA fabric
L2border
E E E
VLAN 36
10.0.42.0/24
L2 Handoff Step 1
Gateway
Lessons learned: B C B C
You need a L2 connection from your non-

SDA network to your L2border and you need L2border
to move the gateway of your external-VLAN
to the L2border
E E E
VLAN 36
10.0.42.0/24
L2 Handoff Step 1
Gateway Gateway
You need to disable the gateway on your

non-SDA device (duplicate IP) L2border
E E E
VLAN 36
10.0.42.0/24
L2 Handoff Step 1
Gateway
You need to route the Subnet of your

external-VLAN towards SDA fabric L2border
E E E
VLAN 36
10.0.42.0/24
Layer 2 Hand off for Migration in SD-Access Reference
VXLAN VLAN
DATA-PLANE
Layer 2
Border Single or
* Dual-Homing requires
port-channel*
SDA Fabric Trunk Port
L2 MEC to prevent L2 loops
E E E
Host 1 Host 2 Host 3

IP: 10.1.1.10/24 IP: 10.1.1.20/24 IP: 10.1.1.30/24
Hosts attached to SDA Fabric Hosts attached to traditional

Edge nodes in Address Pool (1024) Access switches in VLAN (10)
Summit
Step 2: Shoulder
Building Automation
(ex. BACnet/IP)
Matterhorn
Building Automation Step 2
Use Case:
Building Automation based on
BACnet/IP
Challenge:
• Broadcast traffic
• Networking know-how of facility
control suppliers
• Enable Layer 2 Flooding (disabled

by default)
• Use smaller IP pools e.g. /24
• Floods Ethernet broadcast and link
local multicast in overlay
E E E
Broadcast
Broadcast or
or Link-
Link-Local
Local
Multicast
Multicast
traffic
traffic
Layer 2 Flooding in SD-Access Reference
Step by step 0 A Given IP Subnet is mapped to a
dedicated multicast
address in the Underlay. The group is a
RP RP
ASM group and hence all the PIM joins
are sent to the RP in the
underlay.
Edge E Edge E E Edge

Node 1 Node 2 Node 3
0 0 0
IP Subnet/VLAN 1021
RP RP
1
Since all the Fabric nodes that have
the IP subnet configured have sent
the PIM joins on their respective
1
multicast group , a multicast tree is
pre built for that particular IP
subnet.
E E E
1 1 1 The traffic is flooded on this pre

built multicast tree.
IP Subnet/VLAN 1021
RP RP 2 ARP/Broadcast/Link Local Multicast

traffic is coming from the end host
to the fabric edge node.
E E E
IP Subnet/VLAN 1021
RP RP
3 The fabric edge node intercepts
the traffic and is sent over the
dedicated multicast group in the
3
underlay.
E E E The Underlay based on normal

multicast functionality is responsible
for replicating the traffic as needed.
The Source tree failover also

happens based on regular multicast
IP Subnet/VLAN 1021 working.
RP RP
4 All the FE nodes get the traffic sent
by edge node 1.
E E E
IP Subnet/VLAN 1021
Summit
Step 2: Shoulder
Step 1: Solvay Hut
Use Case:
Silent Hosts
Matterhorn
Silent Hosts Step 2
Use Case:
• There are hosts which do not send
traffic when they get connect to
LAN port
• Maybe there are even some hosts
which do not answer to ARP
requests
Silent Hosts Step 2
Challenge:
• IP/MAC will not be learned on the
Fabric Edge (FE) and therefore not
registered into the Control Point
Node (CP)
Silent Hosts Step 2
Lessons learned:
• Works fine for east-west traffic if endpoint responds to ARP & L2 flooding is
enabled
• If not: Hardcode IP/MAC into IP device tracking (IPDT) on Fabric Edge switches
(not scalable workaround & last resort)
• Port needs to be configured with No Authentication or Open Authentication
device-tracking binding vlan 1024 172.21.101.13 int Gi1/0/13 001b.4411.3ab7
Summit
Step 2: Shoulder
Step 1: Solvay Hut
Use Case:
Wake on LAN
Matterhorn
Wake on LAN Step 3
Use Case:
Software Upgrade on Computer
during night when they are initially
switched off
Wake on LAN Step 3
Challenge:
A message (magic packet) will be
sent to computer by a device in the
same subnet or from another
subnet using a directed broadcast
packet
Wake on LAN Step 3
Lessons learned: Core
• Does NOT work if source is remote

(directed broadcast)
B C B C
• Permanent and automated fix is on
roadmap
• Does NOT work if Client Port is

configured with closed
authentication
E E E
10.0.42.0/24
Wake on LAN Step 3
Lessons learned: Core
• Works well if source and

destination are on the same
subnet (Ethernet broadcast) B C B C
• L2 flooding must be enabled

• Client Port needs to be configured
with No Authentication or Open
Authentication
E E E
10.0.42.0/24
Summit
Step 2: Shoulder
Campus Network Step 1: Solvay Hut

Assurance:
Issue for Shared
Services
Matterhorn
Assurance Issue for Shared Services Summit
Use Case:
Issue in Assurance about DHCP
Server reachability
Challenge:
Shared
Services
• IP SLA is used for reachability
checks for each Virtual Network
• source-ip from L3 Border Handoff B C B C
Point-to-Point Interface used for

IP SLA
GUEST_VN PROD_VN IOT_VN
Challenge:
ip sla 1
icmp-echo 192.168.99.101 source-ip 192.168.127.137
• IP SLA is used for reachability vrf GUEST_VN

Border 1
checks for each Virtual Network threshold 3
ip sla schedule 1 life forever start-time now

• source-ip from L3 Border Handoff
Point-to-Point Interface used for
IP SLA ip sla 1
icmp-echo 192.168.99.101 source-ip 192.168.127.141
vrf GUEST_VN
Border 2
threshold 3
ip sla schedule 1 life forever start-time now
Lessons learned:
router bgp 65001
address-family ipv4 vrf GUEST_VN
• source-ip from L3 Border bgp aggregate-timer 0
Handoff Point-to-Point Interface network 172.21.111.1 mask 255.255.255.255

Border 1
needs to be routed between network 192.168.127.136 mask 255.255.255.252
Border and Shared Services <output truncated>
(DHCP, AAA, …)
router bgp 65001
• Use network statement in BGP address-family ipv4 vrf GUEST_VN
config on Border bgp aggregate-timer 0
• Check if a Firewall is blocking

network 172.21.111.1 mask 255.255.255.255
Border 2
network 192.168.127.140 mask 255.255.255.252
this traffic to the shared services
<output truncated>
Source: Erwin Keller
Wrap up
Opening Keynote 09:00 BRKNMS-2426
OPS
Cisco DNA Center -
From 0 to 100 How to
08:30 Operations Track
BRKNMS-2573 get the network up and www.ciscolive.com/emea/learn/technology-
tracks/operations.html
From Prime 11:00 running from scratch
Infrastructure to
Software Defined BRKOPS-2110 BRKNMS-2031
Cisco DNA Center: The 11:15
Network (SDN) End-2-end policy from the 11:00
evolution from traditional BRKSDN-2295
Management with Campus to the DC and back, a Controlling the wild wild west of 09:00
Management to Intent-Based
Cisco DNA Center packet journey with SDA to ACI applications in your network using
Automation & Assurance
Cisco DNAC QoS Policies
BRKOPS-2131 TCRNMS-2100
TechCircle: Cisco DNA 13:15
Cisco DNA Analytics 14:30
and Assurance - The
Center Innovations BRKOPS-2859
Towards operating a 11:30
Shortest Path to BRKSDN-2500 multi-domain network
Network Innocence Real World Use Cases for 14:45
Deploying and Operating Guest Keynote 17:00
Cisco SD-Access Using
Cisco Live
Cisco DNA Center
Celebration 18:30
Operating Cisco SDA
#CLEMEA
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Summit

journey is like
mountain, small
to the top!
Matterhorn
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you
Appendix
Configuring additional links after LAN
automation was performed
Reference
Pre-requisites/Assumptions:
• LAN automation was already performed
• Links between B1 and E1 to E3 are provisioned
• LAN automation IP pool is available B C B C
B1 B2
CAUTION: If you selected 'Enable Multicast' option

the first time LAN Automation was performed on the
device, do not select this option when using this
method to configure additional links. You need to E E E
manually configure "ip pim sparse-mode" under the

interface after the Layer 3 configuration was applied.
E1 E2 E3
Reference
Step-1:
• Ensure the ports are physically connected to the
correct devices (show cdp neighbor)
• Ports should not have any configuration applied B C B C
B1 B2
E E E
E1 E2 E3
Reference
Step-2:
• Go to “PROVISION” and Select “Provision / LAN
Automation”
• For the “Primary Device” select “B2” B C B C
• For the “Peer Device” select the Device to which you B1 B2

want to configure the link (in our case, we start with
“E1”)
• Select the Port on the “Primary Device” (in our case,
it’s T1/1/1) E E
E
• Select the same IP Pool which was used when the

initial LAN Automation was performed
E1 E2 E3
Reference
Step-3:
• Start LAN Automation and wait 2 minutes
• Stop LAN Automation
B C B C 2 min
• Obviously, no new device was discovered
B1 B2
• However, the link will be configured as Layer 3
interface with corresponding IP Addresses
Link to CCO: https://www.cisco.com/c/en/us/td/docs/cloud-

systems-management/network-automation-and-
E
management/dna- E E
center/tech_notes/b_dnac_sda_lan_automation_deployment.ht
ml#id_89815
E1 E2 E3
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

BRKSDN 2500

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

BRKSDN 2500

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSDN 2500

Uploaded by

Copyright:

Available Formats

Real World Use Cases for Deploying

and Operating Cisco SD-Access

Peter Fuchs, Technical Solutions Architect

Cisco SD-Access Step 2: Shoulder

• Some DO’s DONT’s

Surface Solution Syntetic Fibers

• new technical requirements

• strong focus on cloud-based

Cisco SD-Access Step 2: Shoulder

PnP Agent - device cleanup

Solved since Cisco IOS XE Fuji 16.8.1a

all removes ALL (config, boot-variables AND images in flash)

Routing from DNAC/DHCP to your fabric is

This is not a DNAC task, but a «prepare

Configuring additional links after LAN Automation

Cisco SD-Access Step 2: Shoulder

You have deployed your DNAC in your PRE-

switches in the inventory.

Challenge: Cisco DNA CenterTM

You are happy with the results and want Self-Signed

Result will be:

Cisco DNA CenterTM

certificates (DNAC, ISE, WLC, etc.).

If you plan to use external

IMPORTANT: Best Practice for certificate management including

Demystify the site elements

Demystify the site elements

Demystify the site elements

Demystify the site elements

Use Case: Step 1: Solvay Hut

• Power on in any order and fix it

• Ramp up your stack

Turn on your switches in the order you

Turn on your switches in the order you

Turn on your switches in the order you

Turn on your switches in the order you

Turn on your switches in the order you

As soon as your stack is complete run

Power on in any order and fix it:

To verify which switch you are handling you

Power on in any order and fix it:

To verify which switch you are handling you

Operator in front of the switch can press beacon button

Verify LED status -----------------------

You can turn it on via command line as well

Power on in any order and fix it:

Power on in any order and fix it:

Now you are ready to run LAN Automation

Ramp up your stack:

Ramp up your stack:

Ramp up your stack:

After LAN Automation you add additional

Ramp up your stack:

If you want to add an additional uplink,

You have different options to build the stack,

Use Case: Step 1: Solvay Hut

How to extend existing VLAN into SDA fabric Core