The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Configure a multi-site remote border if you require a centralized gateway for a subset of the Virtual Networks (VNs) across
multiple fabric sites. The traffic for those VNs will egress the fabric from the multi-site remote border at the central site.
This section describes how to configure a multi-site remote border.
Multi-Site Remote Border
A multi-site remote border enables the fabric network to isolate untrusted traffic to a central location like a firewall or
a DMZ (demilitarized zone). For example, if the network has a guest virtual network (VN) that is stretched across multiple
sites, all the guest traffic can be tunneled to a remote border at the DMZ, thus isolating the guest traffic from the enterprise
traffic.
In a multi-site network deployment, you can designate a common border (multi-site remote border) to route the traffic to and
from a particular VN that is stretched across multiple sites. This allows you to deploy a VN across multiple fabric sites
but have a single subnet across all these sites. Preserving the subnets across multiple fabric sites helps in conserving the
IP address space.
Here are some common terms that are used in the context of a multi-site remote border:
Anchor Virtual Network (VN): A virtual network that exists across multiple fabric sites in a network. The associated IP subnet and segment are common
across these multiple sites.
Anchor Site: The fabric site that hosts the common border and control plane for an Anchor VN. Anchor Site handles the ingress and egress
traffic for the Anchor VN.
Anchoring Sites: Fabric sites other than the Anchor Site where the Anchor VN is deployed.
Anchor Border Node or Multi-Site Remote Border: The fabric border node at the Anchor Site that provides the ingress and egress location for traffic to and from the Anchor
VN.
Anchor Control Plane Node: The fabric control plane node at the Anchor Site that accepts registrations and responds to requests for endpoints in the
Anchor VN.
A Use Case for a Multi-Site Remote Border
Different users and devices in an enterprise network require different levels of access on the network. A guest user connecting
to a fabric site can be permitted to access the internet but should not be permitted to access business sensitive data or
network resources like shared folders, storage devices, and so on. The guest users connecting to multiple fabric sites in
an enterprise network must be handled in a secure and reliable manner.
In a typical case, an endpoint (which could be a guest user) in a fabric site is assigned an Endpoint Identifier (EID) address
from the local EID subnet and its traffic is directed through the local border. This adds complexity to the policy enforcement
and EID address management for guests across multiple sites. To achieve traffic isolation and better manage the guest traffic,
you can direct all the guest traffic to a designated border node which is located in the DMZ site. (A DMZ site provides access
to external network like the internet but prevents external users from accessing the resources or data of the fabric network.)
The DMZ site will now be the ingress and egress site for traffic to and from the guest VN.
Guidelines for Configuring a Multi-Site Remote Border
An Anchor VN can have only one Anchor Site.
The path from the fabric edge node of the Anchoring Site to the multi-site remote border should support frames greater than
1500 bytes.
We recommend a value of 1250 bytes for the Transmission Control Protocol (TCP) Maximum Segment Size (MSS) on the on the overlay
SVI interfaces.
How to Configure a Multi-Site Remote Border
This section shows only the configurations on the Anchor Site and the Anchoring Sites for a multi-site remote border.
Before you begin, provision the fabric sites in the network. For a complete description of the fabric site configurations,
refer the earlier chapters of this document.
To anchor a VN and configure a multi-site remote border, do the following:
Configure the control plane node at the Anchor Site to act as the map-server and map-resolver for the requests from the Anchor
VN.
Configure the EID prefixes of the Anchor VN only on the control plane node at the Anchor Site. The control plane node of the
Anchoring Sites should not be configured with the EID prefixes of the Anchor VN.
In the following topology, a Guest VN (Anchor VN) is spread across Fabric Site 1 and Fabric Site 2 (Anchoring Sites). Each
of these fabric sites has its own control plane node and border nodes. The DMZ site (Anchor Site) has a colocated control
plane node and border node (CPB), which is configured as the multi-site remote border.
Note
The following is a snippet of the configurations on the fabric edge nodes and the DMZ control plane node. The snippet shows
only the configurations that are required for a multi-site remote border functionality. For complete configurations on the
fabric nodes, refer to the earlier chapters in the document.
Colocated Control Plane and Border Node at DMZ site:
<snip: only the relevant configuration is shown>
site site_uci
description mapserver
authentication-key auth-key
eid-record instance-id 4099 0.0.0.0/0 accept-more-specifics
eid-record instance-id 4099 10.50.1.0/24 accept-more-specifics
eid-record instance-id 4099 ::/0 accept-more-specifics
eid-record instance-id 4099 2001:DB8:2050::/64 accept-more-specifics
eid-record instance-id 16188 any-mac
allow-locator-default-etr instance-id 4099 ipv4
allow-locator-default-etr instance-id 4099 ipv6
exit-site
!
<snip: only the relevant configuration is shown>
Fabric Edge Nodes on the Sites Hosting the Anchor VN:
<snip: only the relevant configuration is shown>
router lisp
locator-table default
locator-set rloc_set
IPv4-interface Loopback0 priority 10 weight 10
exit-locator-set
!
locator default-set rloc_set
service ipv4
encapsulation vxlan
itr map-resolver 172.16.1.67 //MSMR points to CPB at the local Site
etr map-server 172.16.1.67 key some-key
etr map-server 172.16.1.67 proxy-reply
etr
sgt
proxy-itr 172.16.1.69
exit-service-ipv4
!
service ipv6
encapsulation vxlan
itr map-resolver 172.16.1.67 //MSMR points to CPB at the local Site
etr map-server 172.16.1.67 key some-key
etr map-server 172.16.1.67 proxy-reply
etr
sgt
proxy-itr 172.16.1.69
exit-service-ipv6
!
service ethernet
itr map-resolver 172.16.1.67 //MSMR points to CPB at the local Site
itr
etr map-server 172.16.1.67 key some-key
etr map-server 172.16.1.67 proxy-reply
etr
exit-service-ethernet
!
//Configurations for the Anchor VN
instance-id 4099
remote-rloc-probe on-route-change
dynamic-eid AVlan50-IPV4
database-mapping 10.50.1.0/24 locator-set rloc_set
exit-dynamic-eid
!
dynamic-eid AVlan50-IPV6
database-mapping 2001:DB8:2050::/64 locator-set rloc_set
exit-dynamic-eid
!
service ipv4
eid-table vrf GuestVN
map-cache 0.0.0.0/0 map-request
itr map-resolver 172.16.1.66 //MSMR points to CPB at the DMZ Site
etr map-server 172.16.1.66 key auth-key
etr map-server 172.16.1.66 proxy-reply
etr
proxy-itr 172.16.1.69
exit-service-ipv4
!
service ipv6
eid-table vrf GuestVN
map-cache ::/0 map-request
itr map-resolver 172.16.1.66 //MSMR points to CPB at the DMZ Site
etr map-server 172.16.1.66 key auth-key
etr map-server 172.16.1.66 proxy-reply
etr
proxy-itr 172.16.1.69
exit-service-ipv6
!
exit-instance-id
!
instance-id 16188
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 50
database-mapping mac locator-set eid_locator
itr map-resolver 172.16.1.66 //MSMR is points to CPB at the DMZ Site
itr
etr map-server 172.16.1.66 key auth-key
etr map-server 172.16.1.66 proxy-reply
etr
exit-service-ethernet
!
exit-instance-id
!
<snip: only the relevant configuration is shown>
Feedback