Campus Fabric
Campus Fabric provides the basic infrastructure for building virtual networks based on policy-based segmentation constructs. Fabric Overlay provides services such as host mobility and enhanced security, which are additional to normal switching and routing capabilities.
Campus Fabric Overlay provisioning consists of three main components:
• Control-Plane
• Data-Plane
• Policy-Plane
Understanding Fabric Domain Elements
The following section describes the elements that make up the fabric domain.
- Fabric Edge Devices — Provide connectivity to users and devices that connect to the fabric domain. Fabric edge devices identify and authenticate endpoints, and register endpoint ID information in the fabric host-tracking database. They encapsulate at ingress and decapsulate at egress, to forward traffic to and from endpoints connected to the fabric domain.
- Fabric Control-Plane Devices — Provide overlay reachability information and endpoints-to-routing-locator mapping, in the host-tracking database. The control-plane device receives registrations from fabric edge devices with local endpoints, and resolves requests from edge devices to locate remote endpoints.
- Fabric Border Devices — Connect traditional Layer 3 networks or different fabric domains to the local domain, and translate reachability and policy information, such as VRF and SGT information, from one domain to another.
- Virtual Contexts — Provide virtualization at the device level, using virtual routing and forwarding (VRF) to create multiple instances of Layer 3 routing tables. Contexts or VRFs provide segmentation across IP addresses, allowing for overlapped address space and traffic separation.
- Host-Pools — Group endpoints in the fabric domain into IP pools, and identify them with a VLAN ID and an IP subnet.
Campus Fabric Licensing
This section describes command-line interface (CLI) commands for managing Campus Fabric licensing.
To activate licensing, use the following commands:
[no] license boot level addon dna-essentials
[no] license boot level addon dna-advantage
To accept end-user license agreement (EULA), use the following command:
[no] license accept end user agreement force
Example:
router#sh run | i license
license boot level addon dna-advantage
license accept end user agreement force
Example: Show commands for license right-to-use
All the examples listed in this section are based on the following configuration:
router#sh run | i license
license boot level addon dna-advantage
license accept end user agreement force
show license right-to-use
router#sh license right-to-use
slot License Name Type Period left
--------------------------------------------------------------------
Active sup Advanced Enterprise Services permanent Lifetime
Active sup dna-advantage Subscription CSSM Managed
Standby sup Advanced Enterprise Services permanent Lifetime
Standby sup dna-advantage Subscription CSSM Managed
show license right-to-use default
router#sh license right-to-use default
----------------------------------------------------
Active sup Advanced Enterprise Services permanent
Standby sup Advanced Enterprise Services permanent
show license right-to-use detail
router#sh license right-to-use detail
License Name : Advanced Enterprise Services
License State : Active, In use
License Name : dna-essentials
Period left : CSSM Managed
License Type : Subscription
License State : Not Activated
License Name : dna-advantage
Period left : CSSM Managed
License Type : Subscription
License State : Active, In use
show license right-to-use summary
router#sh license right-to-use summary
License Name Type Period left
-------------------------------------------------------
Advanced Enterprise Services permanent Lifetime
dna-advantage Subscription CSSM Managed
-------------------------------------------------------
License Level In Use: Advanced Enterprise Services addon: dna-advantage
License Level on Reboot: Advanced Enterprise Services addon: dna-advantage
show license right-to-use usage
router#sh license right-to-use usage
slot License Name Type In-use EULA
----------------------------------------------------------------------
Active sup Advanced Enterprise Services permanent yes yes
Active sup dna-essentials Subscription no yes
Active sup dna-advantage Subscription yes yes
----------------------------------------------------------------------
Standby sup Advanced Enterprise Services permanent yes yes
Standby sup dna-essentials Subscription no yes
Standby sup dna-advantage Subscription yes yes
----------------------------------------------------------------------
show license right-to-use eula
router#sh license right-to-use eula ?
permanent Displays EULA for permanent license.
subscription Displays EULA for the subscription license.
Campus Fabric Configuration Guidelines
Consider the following guidelines and limitations when configuring campus fabric elements:
- Catalyst 6500 switch can act as a border router or control plane device.
- If RBACL enforcement is not done on the border router, then the user needs to configure SGT caching on the border and transport the SGT via SXP to a further upstream router.
- Configure no more than 512 virtual contexts for unicast and 100 virtual contexts for multicast, in each fabric border node.
- IPv6 layer 3 mobility is not supported.
How to Configure Fabric Overlay
Configuring Control-Plane Devices Using IPv4
To configure control-plane devices using IPv4, use the following LISP commands:
Before You Begin
Configure a loopback IP address for the control-plane device to ensure that the device is reachable.
|
|
|
Step 1 |
enable Example: Device> enable |
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example: Device# configure terminal |
Enters the global configuration mode. |
Step 3 |
router lisp Example: Device(config)# router lisp |
Enters Locator ID/Separation Protocol (LISP) configuration mode. |
Step 4 |
site site-name Example: Device(config-router-lisp)# site FD_Default |
Configures a LISP site on a control-plane device and enters LISP site configuration mode. |
Step 5 |
authentication-key key Example: Device(config-router-lisp-site)# authentication-key examplekey |
Configures the password used to create the Hash-based Message Authentication Code (HMAC) Secure Hash Algorithm (SHA-1) hash for authenticating the map-register messages sent by edge devices when registering with the control-plane device. |
Step 6 |
eid-prefix instance-id <value> <prefix> accept-more-specifics Example: Device(config-router-lisp-site)# eid-prefix 10.1.0.0/16 accept-more-specifics Device(config-router-lisp-site)# eid-prefix instance-id 10 10.1.0.0/16 accept-more-specifics |
Configures a host-pool or a list of endpoint identifier (EID) prefixes that are allowed in a map-register message sent by the edge device when registering with the control-plane device. Specifies that an EID prefix that is more specific than the EID prefix configured is accepted and tracked. The instance-id keyword includes the specified instance ID (the instance ID used by the context you want to include in the host-pool) with the host-pool when it is registered with the control-plane device. |
Step 7 |
exit Example: Device(config-router-lisp-site)# exit |
Exits LISP site configuration mode and returns to LISP configuration mode. |
Step 8 |
Repeat Step 4 to Step 7 to configure another LISP site. |
|
Step 9 |
ipv4 map-server Example: Device(config-router-lisp)# ipv4 map-server |
Configures a device to act as an IPv4 control-plane device. |
Step 10 |
ipv4 map-resolver Example: Device(config-router-lisp)# ipv4 map-resolver |
In the fabric domain, the control-plane device acts as the map-server and the map-resolver. Enables the control-plane device with IPv4 LISP map resolver capabilities. |
Step 11 |
end Example: Device(config-router-lisp)# end |
Exits LISP configuration mode and returns to privileged EXEC mode. |
Configuring Control-Plane Devices Using IPv6
To configure control-plane devices using IPv6, use the following LISP commands:
Before You Begin
Configure a loopback IP address for the control-plane device to ensure that the device is reachable.
|
|
|
Step 1 |
enable Example: Device> enable |
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example: Device# configure terminal |
Enters the global configuration mode. |
Step 3 |
router lisp Example: Device(config)# router lisp |
Enters Locator ID/Separation Protocol (LISP) configuration mode. |
Step 4 |
site site-name Example: Device(config-router-lisp)# site FD_Default |
Configures a LISP site on a control-plane device and enters LISP site configuration mode. |
Step 5 |
authentication-key key Example: Device(config-router-lisp-site)# authentication-key examplekey |
Configures the password used to create the Hash-based Message Authentication Code (HMAC) Secure Hash Algorithm (SHA-1) hash for authenticating the map-register messages sent by edge devices when registering with the control-plane device. |
Step 6 |
eid-prefix instance-id <value> <ipv6_prefix> Example: Device(config-router-lisp-site)# eid-prefix 10:1::/64 Device(config-router-lisp-site)# eid-prefix instance-id 10 10:1::/64 |
Configures a host-pool or a list of endpoint identifier (EID) prefixes that are allowed in a map-register message sent by the edge device when registering with the control-plane device. Specifies that an EID prefix that is more specific than the EID prefix configured is accepted and tracked. The instance-id keyword includes the specified instance ID (the instance ID used by the context you want to include in the host-pool) with the host-pool when it is registered with the control-plane device. |
Step 7 |
exit Example: Device(config-router-lisp-site)# exit |
Exits LISP site configuration mode and returns to LISP configuration mode. |
Step 8 |
Repeat Step 4 to Step 7 to configure another LISP site. |
|
Step 9 |
ipv6 map-server Example: Device(config-router-lisp)# ipv6 map-server |
Configures a device to act as an IPv6 control-plane device. |
Step 10 |
ipv6 map-resolver Example: Device(config-router-lisp)# ipv6 map-resolver |
In the fabric domain, the control-plane device acts as the map-server and the map-resolver. Enables the control-plane device with IPv6 LISP map resolver capabilities. |
Step 11 |
end Example: Device(config-router-lisp)# end |
Exits LISP configuration mode and returns to privileged EXEC mode. |
Configuring Border Devices Using IPv4
To configure a border device using IPv4, use the following LISP commands.
Before You Begin
Configure a loopback IP address for the border device to ensure that the device is reachable.
|
|
|
Step 1 |
enable Example: Device> enable |
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example: Device# configure terminal |
Enters the global configuration mode. |
Step 3 |
router lisp Example: Device(config)# router lisp |
Enters LISP configuration mode. |
Step 4 |
encapsulation vxlan Example: Device(config-router-lisp)# encapsulation vxlan |
Specifies VXLAN-based encapsulation. |
Step 5 |
eid-table vrf <vrf_name> instance-id <value> Example: Device(config-router-lisp)# eid-table vrf abcd instance-id 10 |
Associates the non-default EID table with the specified instance ID. |
Step 6 |
eid-table default instance-id instance-id Example: Device(config-router-lisp)# eid-table default instance-id 0 |
Associates the default EID table with the specified instance ID. Control-plane device messages include this instance ID along with the associated EID prefixes. |
Step 7 |
map-cache eid-prefix map-request Example: Device(config-router-lisp)# map-cache 10.1.1.0/24 map-request |
Configures a static IPv4 EID-to-RLOC mapping relationship by adding a map-cache with action send-map-request for the specified dynamic EID or host pool. |
Step 8 |
ipv4 sgt Example: Device(config-router-lisp)# ipv4 sgt |
Enables the transport of Security Group Tags (SGT) in the fabric. For more information on SGTs, see Cisco TrustSec Configuration Guide. |
Step 9 |
ipv4 proxy-etr Example: Device(config-router-lisp)# ipv4 proxy-etr |
Enables the border device service in the fabric domain. |
Step 10 |
ipv4 proxy-itr ipv4 address Example: Device(config-router-lisp)# ipv4 proxy-itr 10.1.1.1 |
Configures the device to operate as an IPv4 proxy ingress tunnel router (PITR), and configures the interface IP address used as a source address for encapsulation of data packets. The IPv4 locator address is used as the source address for data packets or a map-request messages. |
Step 11 |
ipv4 itr map-resolver ipv4 address Example: Device(config-router-lisp)# ipv4 itr map-resolver 10.1.1.2 |
Configures the map-resolver IP from where it needs to query the RLOC corresponding to destination EID IP |
Step 12 |
exit Example: Device(config-router-lisp)# exit |
Exits LISP configuration mode and enters global configuration mode. |
Step 13 |
ip route ipv4-prefix next-hop Example: Device(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.1 |
Configures an IPv4 static route. |
Step 14 |
exit Example: Device(config)# exit |
Exits global configuration mode and returns to privileged EXEC mode. |
Configuring Border Devices Using IPv6
To configure a border device using IPv6, use the following LISP commands.
Before You Begin
Configure a loopback IP address for the border device to ensure that the device is reachable.
|
|
|
Step 1 |
enable Example: Device> enable |
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example: Device# configure terminal |
Enters the global configuration mode. |
Step 3 |
router lisp Example: Device(config)# router lisp |
Enters LISP configuration mode. |
Step 4 |
encapsulation vxlan Example: Device(config-router-lisp)# encapsulation vxlan |
Specifies VXLAN-based encapsulation. |
Step 5 |
eid-table vrf <vrf_name> instance-id <value> Example: Device(config-router-lisp)# eid-table vrf abcd instance-id 10 |
Associates the non-default EID table with the specified instance ID. |
Step 6 |
eid-table default instance-id instance-id Example: Device(config-router-lisp)# eid-table default instance-id 0 |
Associates the default EID table with the specified instance ID. Control-plane device messages include this instance ID along with the associated EID prefixes. |
Step 7 |
map-cache eid-prefix ipv6 address/subnet mask map-request Example: Device(config-router-lisp)# map-cache 10:1:1::/64 map-request |
Configures a static IPv6 EID-to-RLOC mapping relationship by adding a map-cache with action send-map-request for the specified dynamic EID or host pool. |
Step 8 |
ipv6 sgt Example: Device(config-router-lisp)# ipv6 sgt |
Enables the transport of Security Group Tags (SGT) in the fabric. For more information on SGTs, see Cisco TrustSec Configuration Guide. |
Step 9 |
ipv6 proxy-etr Example: Device(config-router-lisp)# ipv6 proxy-etr |
Enables the border device service in the fabric domain. |
Step 10 |
ipv6 proxy-itr ipv6 address Example: Device(config-router-lisp)# ipv6 proxy-itr 10.1.1.1 |
Configures the device to operate as an IPv6 proxy ingress tunnel router (PITR), and configures the interface IP address used as a source address for encapsulation of data packets. The IPv6 locator address is used as the source address for data packets or a map-request messages. |
Step 11 |
ipv6 itr map-resolver ipv6 address Example: Device(config-router-lisp)# ipv6 itr map-resolver 10.1.1.2 |
Configures the map-resolver IP from where it needs to query the RLOC corresponding to destination EID IP |
Step 12 |
exit Example: Device(config-router-lisp)# exit |
Exits LISP configuration mode and enters global configuration mode. |
Step 13 |
exit Example: Device(config)# exit |
Exits global configuration mode and returns to privileged EXEC mode. |
Example: Configuring Fabric Border and Control-Plane Devices
Fabric Border Router Using IPv4
ip address 1.3.3.3 255.255.255.255
interface TenGigabitEthernet2/8 < ----------- North upstream facing
ip address 119.1.1.1 255.255.255.0
interface TenGigabitEthernet2/9 < -------- North upstream facing
ip address 19.1.1.1 255.255.255.0
interface TenGigabitEthernet 4/12 < -------- South RLOC facing
ip address 141.1.1.2 255.255.255.0
ip lisp source-locator Loopback10
1.3.3.3 priority 1 weight 100
eid-table default instance-id 0
map-cache 120.1.1.0/24 map-request <------ EID subnet at fabric edge
eid-table vrf abcd instance-id 1
map-cache 20.1.1.0/24 map-request <------ EID subnet at fabric edge
ipv4 itr map-resolver 1.4.4.4
Fabric Border Router Using IPv6
ip address 1.3.3.3 255.255.255.255
interface TenGigabitEthernet2/8 < ----------- North upstream facing
ipv6 address 119:1:1::1/64
interface TenGigabitEthernet2/9 < -------- North upstream facing
interface TenGigabitEthernet 4/12 < -------- South RLOC facing
ip address 141.1.1.2 255.255.255.0
ip lisp source-locator Loopback10
1.3.3.3 priority 1 weight 100
eid-table default instance-id 0
map-cache 120:1:1::/64 map-request <------ EID subnet at fabric edge
eid-table vrf abcd instance-id 1
map-cache 20:1:1::/64 map-request <------ EID subnet at fabric edge
Ipv6 itr map-resolver 1.4.4.4
Control Plane Using IPv4
ip address 1.4.4.4 255.255.255.255
1.4.4.4 priority 1 weight 100
eid-prefix 120.1.1.0/24 accept-more-specifics
eid-prefix instance-id 1 20.1.1.0/24 accept-more-specifics
Control Plane Using IPv6
ip address 1.4.4.4 255.255.255.255
1.4.4.4 priority 1 weight 100
eid-prefix instance-id 1 20:1:1::/64