Segmentation is becoming more and more critical as part of securing a network. In this article I will compare MPLS VPNs to VRF-lite. Both are ways to segment a network logically at L3 using VNs (VRFs). Many years ago when I was new to networking technologies I had some fear of “MPLS”. I was biased and I though of MPLS as something insanely complicated that only service providers used in their network to magically inter-connect large companies.
If you are looking to configure NIC bonding for DNAC, this post will show the currently available options for the DN2-HW-APL appliance running DNAC version 18.104.22.168 and newer. Only 10G interfaces are addressed for NIC bonding in this post. If you want to play with 1G interface NIC bonding, have a look at the official documentation NOTE! NIC bonding is not supported for the DN1-HW-APL (1st gen DNAC appliance). An apparent reason for this is that the DN1 appliance only comes with a single NIC adapter with two 10G interfaces.
Introduction We all know how daunting it can be to create and maintain documentation. Yet, when it is missing, we get frustrated. There is a standing joke regarding documentation: Documentation is like sex. When it's good, it's very good. When it's bad, it's still better than nothing. Nevertheless I believe we can all agree that documentation is a requirement for any system. Having good up to date documentation provides the following benefits:
The Challenge Operating a network can be a daunting task. Especially when you find yourself manually repeating ordinary work on a regular basis. As a network engineer you are likely to enjoy challenges with protocols and designs rather than unboxing, mounting, and installing hardware. The time spent on this everyday work should be kept at a minimum. In a streamlined network design, the configuration of new equipment should be based on a template with few variables, such as hostname and IP addressing.
Introduction ISIS is the routing protocol preferred for SD-Access (SDA). Roughly said, SDA is somewhat similar to routed access. We can think of fabric edge nodes as access switches when comparing them to our traditional flat networks. Many companies buy multiple switches and deploy them in stacks using Cisco StackWise technology. This has the usual benefits of stacking, namely collapsing all of the switches in the stack into just one management and control plane.
Spanning tree is the L2 control plane protocol we have to ensure a loop-free network. It does so by blocking redundant links. Topology Here, SW1 is the root switch with a priority of 4096. SW2 has been configured for root secondary. SW3 is default. Ultimately these configurations result in the above converged STP topology. Initial configurations SW1 SW1#sh run | sec span spanning-tree mode pvst spanning-tree loopguard default spanning-tree extend system-id spanning-tree vlan 1-4094 priority 4096 SW1# SW2 SW2#sh run | sec span spanning-tree mode pvst spanning-tree loopguard default spanning-tree extend system-id spanning-tree vlan 1-4094 priority 28672 SW2# SW3 SW3#sh run | sec span spanning-tree mode pvst spanning-tree loopguard default spanning-tree extend system-id SW3# Loop Guard Loop guard is an STP enhancement.
Unfortunately not all Cisco platforms support SDA. Cisco has chosen these platforms to be extended by SDA to be able to offer both a desktop platform and IoT platforms: 3560CX IE 3300 IE 3400 IE 3400H IE 4000 series IE 5000 series Catalyst Digital Building NOTE! If you plan on using policy, meaning micro segmentation using SGTs, only IE 3400 and IE 3400H are supported as policy extended nodes!
Some companies are established with multiple sites in a small geographic area inter-connected with DWDM, dark fiber, or maybe MPLS. SDA transit could make sense to configure if the MTU (>= 1550 bytes) and latency (~10 ms) allows for it. One advantage of using SDA transit is the end-to-end VXLAN encapsulation which menas we have end-to-end policy for both macro (VN) and micro (SGT) segmentation when using SDA transit.
In this post I’m using DNAC version 22.214.171.124 for demonstrate what happens when you discover a switch using DNAC. Previously I’ve written similar posts: DNA Center - PnP - What It Does To Your Devices DNA Center - Provision - What It Does To Your Devices Test Case One simple test case is all we need to see what DNAC does: Manually configure a Cat9300 switch Add the switch to DNAC using a discovery job Topology The below topology is used for this post:
In this post I’m using DNAC version 126.96.36.199 to demonstrate what DNAC does to your device when configuring the network settings in DNAC. Previously I’ve written similar posts: DNA Center - PnP - What It Does To Your Devices DNA Center - Discovery - What It Does To Your Devices Test Case One simple test case is all we need to see what DNAC does: Manually configure a Catalyst 9300 switch Add the switch to DNAC manually via inventory Topology The below topology is used for this post: