What is a fabric?

I get the question a lot. What is a fabric? Most have an idea of what it is, but its a blurry idea. Fabric is a word that is being thrown around by many. It can be intimidating to ask, what exactly is a fabric. So today our goal is to provide an overview to the question. What is a fabric? I define it in the first section but get into some of the components throughout the post.

A fabric is a two layer construct. There is an underlay which is your physical make up of the network. Responsible for moving the packet. The overlay is the abstract service layer, it is responsible for things such as policies, segmentation, and mobility. Some overlay technologies that you may be aware of: CAPWAP, GRE, MPLS, DMVPN, OTV, ACI, LISP.

Overlays can come in two ways:

Layer 2 Overlays – Offers single subnet mobility within layer 2, extending L2 flooding.
Layer 3 Overlays –  Offers IP mobility, Transports IP packets, contains failure domains.

So the new term for a LAN enabled fabric is ‘campus fabric’. However, its commonly shortened and referred to as a fabric or a fabric domain.

The campus fabric can be summarized as having

  1. LISP based Control-Pane
  2. VXLAN based Data-Plane
  3. Integrated Cisco TrustSec (policy plane)

Let’s pause to define some terms within the Campus Fabric. Don’t glaze over on me! Just be aware of these terms, no need to know them inside and out for this overview.

Control-Plane Node = LISP Map-Server : is a node in the fabric responsible for resolving EIDs to RLOCs
Edge Node = LISP Tunnel Router (xTR) : responsible for encapsulating the packet at the edge of the network and authenticating endpoints.
Border Node = LISP Proxy Tunnel Router (PxTR) : responsible for de-encapsulating the packet or encapsulating the packet when entering or leaving the fabric. Any traffic entering or leaving the fabric goes through this node. You NEED at least one of these.
Intermediate Node = Non-LISP IP forwarder : Imagine a 3-tier architecture; Access-Distro-Core, the Distro would be your intermediate nodes.
Fabric Domain = FD = LISP Process
Virtual Network = VN = LISP Instance = VRF : Maintains a separate Routing and switching instance for each virtual network
Endpoint ID Group = EIG = Segment = SGT : Each user of device is assigned to a unique Endpoint ID Group
Host Pool = Dynamic EID = VLAN + IP Subnet : Provides the basic IP constructs including Anycast Gateway.

Screen Shot 2018-11-01 at 8.39.05 AM

LISP overview

Locator ID Separation Protocol – Now read that back sloooowly.. It’s self defining. LISP is separating IP(ID) from location(Locator).

LISP at it’s simplest form is nothing more than a mapping system but is a routing architecture, a control plane protocol and a data plane protocol. It separates Identity from a Location.

A devices IP (identity) is generally associated to a location of that device. If a device wants to roam to a new location the device needs a new IP (identity) for that location.

Screen Shot 2018-11-01 at 8.38.43 AM

From a design perspective you can see how this can be helpful. This is just like when you roam between cell towers with your cell phone. Your location changes but your cell phone number (identity) does not.

LISP will assign End-point Identifiers or EID to hosts and will take on the role of acting as the devices identity. I don’t want to confuse you, EIDs do not replace a devices IP. EIDs are there to help RLOC map a device to a location.

Screen Shot 2018-10-31 at 4.19.09 PM

Routing locators or RLOCs map End-point Identifiers (EID) to a current location. The control plane node is responsible for doing this. RLOCs should be viewed as the Control plane protocol for LISP.

LISP mapping system can be analogous to a DNS resolution where DNS queries answer the “WHO IS” question and LISP resolution answered the “WHERE IS” question.

Why do I care about LISP? Because the fabric overlay is LISP enabled!

VXLAN Data-Plane Overview

VXLAN Encapsulation is used to carry L2 information. This is necessary because if we were to run LISP only, we would not be able to carry L2 information. LISP payload only supports L3 information. So, to achieve L2 and L3 capabilities, we run VXLAN.

Screen Shot 2018-11-01 at 8.38.55 AM

What is Cisco TrustSec?

TrustSec (CTS) takes the complexity away from the static ACL and uses a tag based mechanism. So instead of creating enforcement on an IP you create enforcement around a tag which allows for mobility.

Lets wrap things up with a list of platforms that support campus fabric.

Fabric Edge Nodes

  • Catalyst 9300 – IOS-XE 16.6.3+
  • Catalyst 9400 – IOS-XE 16.6.3+
  • Catalyst 3K – IOS-XE 16.6.3+
  • Catalyst 4500 Sup8E+ – IOS-XE 3.9+

Fabric Border Nodes

  • Catalyst 9500 – IOS-XE 16.6.3+
  • Catalyst 3K
  • Catalyst 6800 Sup2T/6T – IOS 15.4SY+
  • ASR-1000-X/HX – IOS-XE 16.4+
  • ISR4K – IOS-XE 16.4+
  • Nexus 7700 w/ M3 cards – NX-OS 7.3.2+

Fabric Control Plane

  • Catalyst 9500
  • Catalyst 3K
  • Catalyst 6800 Sup2T/6T
  • ASR-1000-X/HX
  • ISR4K

Lab it up! You only need three switches to test this out.

You can use the command ‘fabric auto’ which will automatically generate the necessary LISP and VXLAN configurations on the device so that the device can join the fabric.

For example:

Edge(config)# fabric auto
Edge(config-fabric-auto)# domain default
Edge(config-fabric-auto)# control-plan 7.7.7.7 auth-key key1
Edge(config-fabric-auto)# border 55.55.55.55

I hope that this served as a basic overview to campus fabric. It is the behind the scenes magic of intent based networking.

Mike

SD-WAN – Cisco Viptela

As I mentioned in my previous post, SD-WAN is an emerging market. Many vendors are trying to become the front runners not only to capitalize on the market trend but to help standardize and define SD-WAN.

Want to secure your SD-WAN? Check out SIG and Integrating it into SDWAN

Several vendors are offering SD-WAN. Cisco has two SD-WAN offerings, Viptela SD-WAN and Meraki SD-WAN. We will discuss the Viptela solution and provide an overview of the architecture as well as how you can transition to SD-WAN.

The network is no longer a function of hardware. The network is a function of software.

Let’s take a step into what makes SD-WAN, SD-WAN. Software Defined-Wide Are Network is nothing more than a router with less responsibilities.

Now you may be asking, what are the responsibilities of a standard router? Well, a standard router has to maintain a Control plane, right?..OSPF, BGP, the RIB. Of course the Data Plane and Management.

Taking the responsibilities of a standard router and segmenting them or decoupling them so that they don’t have dependencies on each other, is what makes SD-WAN at its foundation. After all this is software defined networking…

Viptela SD-WAN Overview

vBond – vBond is the orchestrator for control plane connectivity. When a new device comes onto the fabric it needs to contact vBond. vBond will assist in authenticating and connecting the device to the vSmart controllers and discovering vManage. vBond is a virtual appliance.

vSmart – vSmart is the controller. vSmart controllers distribute data plane policies to the vEdge routers. OMP is used to communicate between the vSmart controllers and the vEdge routers. vSmart controller is a virtual appliance.

vEdge – vEdge is the router and establishes a TLS connection to the vSmart controllers over OMP. vEdge routers connect to vSmart controllers and receives data plane and control plane policies. vEdge routers support traditional IGP protocols and VRRP for the LAN. vEdge routers can be deployed physically or virtually.

vMange – Is the GUI for all of this. This is where you create/assign policies, provision, monitor and troubleshoot your SD-WAN network. vManage is a virtual appliance.

Screen Shot 2018-09-05 at 10.59.53 AM

I wanted to highlight these as foundational components of Viptela and by no means is it a complete architecture!

Let’s explore how to get from traditional WAN to a SD capable WAN. First, ask your self if you are faced with these issues.

  1. Poor user experience for cloud and Internet applications at branch
  2. Provide high-bandwidth connectivity at the branch and reduce WAN costs
  3. Simplify branch deployments
  4. Securing the branch

If you are affected by one or more of these issue then you should look into Cisco’s SD-WAN Viptela.

Then start with a phased approach. You can stand up Viptela in a brownfield deployment fashion so that when you are ready, you can cutover from your existing WAN to your SD-WAN.

Deploy vBond, vSmart, and vManage as a virtual appliance in the cloud.

Screen Shot 2018-09-05 at 11.38.37 AM

Then decide on a physical or virtual deployment for your branch vEdge routers. If you are using ISR1K/4K, or ASR1K at the branch, you already have vEdge capabilities! IOS-XE release 16.9.1 will get you the the SD-WAN capabilities.

Viptela has some of the best and easy to digest documentation. See Getting Started and Viptela – Bring Up Sequence of Events to get your SD-WAN fix!

Mike

Evolving Technologies

SD-WAN, SD-Access, and Intent Based Networking are emerging designs to serve a single purpose.

Application trends, traffic trends and user experience are changing. They are going to continue to change as the adoption of the “cloud” continues.

The idea of hosted applications has changed the way the network functions and delivers content. Applications like Cisco WebEx, Microsoft O365, and Amazon Web services are all examples of applications that have adopted the cloud model. Also better known as Software as a Service (SaaS).

These applications, different in function yet attempt to benefit from heterogenous networks. Where any user, at any location, with any network can access their application.

Any user, any location, and any network is of course subjective and has dependencies unrelated to this discussion however this is the idea behind SD-WAN, SD-ACCESS, and Intent Based Networking.

The benefits that come from these designs are reduced operational expenses/capital and simplifying the network.

However, the true benefit that these designs offer is user experience. User experience is the business of the today and the future.

Through a series of posts we will talk about SD-WAN and other related “evolving technologies” and buzz around the industry.

Mike