MPLS

#CLUS
Integrating
Campus/DC Fabrics
with MPLS
Subtitle goes here
Minhaj Uddin, Technical Marketing Engineer

BRKMPL-2114
#CLUS
Agenda • Introduction
• Design Requirements
• Technology Involved
• DC Network Fabrics – FabricPath,
DFA,
ACI, and VXLAN with EVPN
• SD-Access Fabric
• MPLS Features and Capabilities
• The Service Layer
• The WAN Connectivity
• Design Options
• Case Studies
• Lessons Learned
• Conclusion
#CLUS BRKMPL-2108 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKMPL-2114

by the speaker until June 18, 2018.
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Session Goals
At the end of the session, the participants should:
 Understand the design requirements
 Understand the technical building blocks
 Understand different designs and use cases and

the reasoning behind them
 Understand the lessons learned
Customer Requirements – NG Data Center
• Multi-tenancy
• Highly Scalable DC Architecture
• L2 Connectivity Between Racks
• Optimized for East/West as well
as North/South
• Minimize Oversubscription
• Scalable L4-7 Service Layer
• Highly available WAN
• Scalable WAN Architecture
• Some DCs connect via Internet
• Simplicity!
Customer Requirements – NG Campus
• Host Mobility (w/o stretching VLANs)
• Network Segmentation (w/o

implementing MPLS)
• Role-based Access Control (w/o

end-to-end TrustSec)
• Common Policy for Wired and

Wireless (w/o using multiple tools)
• Consistency Across Campus, WAN

and Branch (w/o using multiple tools)
Strategy  Flexible topology
 Minimize
oversubscription
 Scale out and scale up
 No spanning tree
Network  Incremental scale
Topology
(DC & WAN)
 Multi-tenancy
 Security and
Separation
 Traffic Eng
Virtualized
 Scalable Network
L4-7
Virtualization
Services
 Virtual FW/LB per tenant

 Flexible placement
 Incremental capacity
Background Info:
The Building Blocks
Business Drivers & Solutions for Network
Segmentation
Multi-
tenancy
SOLUTIONS
VRF
Mergers Shared
L3VPN services
Acquisitions
Multicast VPN
6VPE
Compliance
Virtual Routing and Forwarding (VRF)
• Creates independent and separate IPv4 and IPv6

Address Spaces
VRF-A
• Full Unicast and Multicast routing protocols support
VLAN 10 SVI 10
• Each non-default VRF is locally-significant on a given
VLAN 20 SVI 20
router
• Data traffic is not routed across VRFs with the default
VRF-B configuration
VLAN 30 SVI 30
VLAN 40 SVI 40
Segmentation with VRF lite
VRF-A VRF-A
L3 Sub-interface VLAN 10
SVI 10
VLAN 10 SVI 10
Routing Protocol
VLAN 20 SVI 20 SVI 20 VLAN 20
VRF-B VRF-B
L3 Sub-interface
Routing Protocol
Not easy to manage with large number of

VRFs
Connecting VRFs Through MPLS
RD: Makes Prefixes Unique
RT: Imports Prefixes into VRF
VPNv4 IPv4
VLAN10 VLAN20
VLAN10 VLAN20 VPNv6 IPv6 VRF-A VRF-B
VRF-A VRF-B RD 1:1 RD 2:2
RD 1:1 RD 2:2
RT 2:2
MDT Multicast RT 1:1 RT 2:2
RT 1:1
P MPLS tunnel P
Provider Tunnel Tunnel Provider

Label Label
Edge (PE) Edge (PE)
VRF-A VRF-B
Label Label
N7K supports GRE based Multicast VPN
(rosen draft 10)
VLAN10 VLAN20
VRF-A VRF-B
Data Center Building Blocks
Services Data Center 1 Services
Data Center 2
LB LB LB LB
Spine Spine
Border Leaf Border Leaf
Leaf DCI Leaf
Multi-tenant Fabric Multi-tenant Fabric

AS100 AS200
DC Edge Router DC Edge Router
MPLS Cloud
WAN
End user
connecting
Campus via internet
BGP Inter-AS Solution
MPLS Inter-AS Use Cases
Cust1 Cust1
AS1 WAN AS3
DC1 Core (AS2) DC2
Cust2 Cust2
 Connecting multi-tenant DCs
 Better Policy Control & Security
 WAN managed by other Vendors
 IGP Isolation
Extending MPLS with Inter-AS
Back-to-Back VRFs
ASBR1 (Option A)
ASBR2
MP-eBGP for VPNv4

AS #1 (Option B) AS #2
MPLS MPLS
Multihop MP-eBGP
PE11 between RRs PE22
(Option C)
MP-eBGP+Labels
CE1 CE2
VPN-R1 VPN-R2
Deployment & Implementation Scenarios
P-to-P tunneling (MPLS  MPLS)
IP Network
MPLS MPLS
DC1 MPLSoGRE
DC2
PE1 P1 P2 PE2
IGP Label GRE Header IGP Label

VPN Label IGP Label’ VPN Label
IP Payload VPN Label IP Payload
IP Payload
• IP WAN Transport
• IPSEC Option for security
• P to P Tunnel
• Looks like an MPLS Link
• Drawbacks:
• Cumbersome with multiple sites (MPLSoMGRE is an alternate solution)
• MTU
DC Fabric to MPLS Handoff Designs
#CLUS BRKMPL-2108 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Center 2
LB LB LB LB
Spine Spine
Leaf DCI Leaf

AS100 AS200
MPLS Cloud
WAN
End user
connecting
Campus via internet
Modernized Data Center
Existing 2/3-Tier Programmable SDN Application Centric
Designs Overlay Model Infrastructure
Modernized Operating System L2 & L3 Wire-rate Any Hypervisor

Overlay / Underlay
Programmable Open APIs Physical and Virtual
VXLAN / BGP Control Plane
Open API’s and Controller
Third Party Controllers
Broad and Deep Ecosystem

#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. BRKMPL-2108
Cisco Public 21
Fabric Handoff to MPLS
Let’s discuss MPLS handoff for following Fabric
 vPC
 FabricPath
 Programmable Fabric (FabricPath)
 Programmable Fabric (VXLAN)
 ACI
MPLS Handoff (L3 DCI) for vPC Fabric NX-OS
7.2
AS300 Inter-as Option B

MP-eBGP
VPNv4/ VPNv6 MP-iBGP MP-eBGP
VPNv4/ VPNv6
RED VLAN <-> Red VRF VPNv4/VPNv6
MP-iBGP MP-iBGP
Orange VLAN <-> Orange VRF
VPNv4/ VPNv6 WAN VPNv4/ VPNv6
PE PE PE PE L2/L3 Boundary
L2/L3 Boundary
N7x00 N7x00
vPC vPC
N5000/N6000 N5000/N6000
N2000 N2000
VPC VPC
AS100 AS200
DC Fabric w/FabricPath
 Externally the Fabric looks like a single switch
 Internally, ISIS adds Fabric-wide intelligence and ties the elements
together.
 Provides in a plug-and-play fashion:
 Optimal, low latency connectivity any to any
 High bandwidth, high resiliency
 Open management and troubleshooting
 ISIS for multipathing and reachability
FabricPath FabricPath
MPLS Handoff (L3 DCI) for FabricPath NX-OS
7.2
AS300
Inter-as Option B
MP-iBGP
MP-eBGP
RED VLAN <-> Red VRF VPNv4/VPNv6 VPNv4/ VPNv6
Orange VLAN <-> Orange VRF
WAN
MP-iBGP MP-iBGP
F3 F3 F3 F3
VPNv4/ VPNv6 VPNv4/ VPNv6
PE PE PE PE L2/L3
L2/L3
Boundary
N7x00 N7x00 Boundary
F3 F3 F3 F3
N5000/N6000 N5000/N6000
AS 100 AS 200
Programmable Fabric
FabricPath & VXLAN
Programmable Fabric (FabricPath & VXLAN)
Fabric Workload Optimized Virtual Fabrics

Managemen Automation Networking
t
Bundled' functions'are' Modular,'Flexible' and'follows'

your'Choice' of'Integration'and'Speed' of'Adoption!
Programmable Fabric (FabricPath)
Host and Subnet Route Distribution
RR RR MP-iBGP Adjacencies
Fabric Host/Subnet MP-iBGP Control Plane External Subnet

Route Injection FabricPath DataPlane Route Injection
N1KV/OVS
Route-Reflectors
MAN/WAN deployed for scaling
purposes
• DC Fabric with a FabricPath based data plane and MP-iBGP control plane.
• Use MP-iBGP on the leaf nodes to distribute internal host/subnet routes and external reachability
information.
• Introduced Segment ID to increase name space to 16M identifier in the fabric.
MPLS (L3) DCI for Programmable Fabric
(FabricPath)
IP Forwarding between Fabrics across Layer-3 based DCI Two Box Solution
Fabric #1 Fabric #2
BGP AS 65500 BGP AS 65505
RR RR RR RR
MP-iBGP MP-iBGP
Control Plane Control Plane
Classic Ethernet
Sub-Interface
eBGP eBGP
Inter-AS Option A Inter-AS Option A

Leaf switches: N5600/N6000 Layer-3 DCI (MPLS/L3VPN)
Spine switches: N5600/N6000 & N7x00(F2e,F3)
BGP AS 65555
BL Switches: N5600/N6000, & N7x00 (F3)
DCI: N7x00 & ASR9000
MPLS (L3) DCI for Programmable Fabric
(FabricPath) NX-OS
7.2
IP Forwarding between Fabrics across Layer-3 based DCI
Single Box Solution
Fabric #1 Fabric #2
BGP AS 65500 BGP AS 65505
RR RR RR RR
MP-iBGP MP-iBGP
Control plane Control plane
Layer-3 DCI
(MPLS/L3VPN)
BGP AS 65555
N7x00 with F3
Single VDC
Programmable Fabric (VXLAN)
RR RR
Fabric Host/Subnet BGP EVPN Control Plane

External Subnet
Route Injection VXLAN Data Plane Route Injection
N1KV/OVS
MAN/WAN iBGP Adjacencies
 Overlay technology with IP underlay

 Overlay tunnel encapsulation is done on VTEP device, it can be a virtual/physical switch.
 Host information like IP & MAC and overlay IP address (VTEP) IP is advertised by a new BGP address (EVPN) family.
 VXLAN header has 24bit VNI field that increases name space to 16M identifier
Control Protocol for VXLAN 2 BGP propagates routes for
Protocol Learning BGP Route
the host to all other VTEPs
VTEPs advertise host routes (IP+MAC) to
local hosts
Reflector
1
VTEP VTEP
IP A
IP B
West Overlay Forwarding Table East
Host1 <MAC,IP> , VTEP IP A
3
VTEPs obtain host
Overlay Forwarding Table routes for remote hosts
Host1 <MAC,IP> , VTEP IP A
and install in RIB/FIB
Host2 <MAC,IP> , VTEP IP B
3 VTEP
IP C
South
BGP MPLS Based Ethernet VPN (draft-ietf-l2vpn-evpn-02)
IETF Network Virtualization Overlay Solution using EVPN (draft-sd-l2vpn-evpn-overlay-02)
Seamless Host Mobility across DC
Two DCs are directly connected at the
Data Center East : Agg. eVPN Routes exchanged via eBGP Data Center West:
BGP AS #100 BGP AS #200
BGP
BGP N7K RR
RR
eBGP Aggregation
… VXLAN Packet …
VTEP
VTEP
Distributed Anycast Gateway
Access
H1 H2
IP-H1 IP-H2
VNI 100 VNI 100
Layer 2 and Layer 3 Multi-Tenancy

Seamless Host Mobility – Intra and Inter DC
MPLS handoff for Programmable Fabric (VXLAN) N7K
NX-OS
7.2
Spines RR RR Two Box Solution
BGP EVPN Control Plane

VXLAN Data Plane
Leafs Border Leafs

VTEP
VLAN/VRF to VNI VNI to VLAN/VRF Inter-AS Option A
Leaf switches: N9300, N9500, N5600 (Roadmap)

Spine switches: N9500,N9300, N7x00
BL switches: N9300, N9500, N7x00(F3)
DCI: N7x00 & ASR9000 MPLS Cloud
MPLS handoff for Programmable Fabric (VXLAN)
N7K
NX-OS
7.3
Single Box Solution

Spines RR RR
BGP EVPN Control Plane VNI to VLAN/VRF

VXLAN Data Plane
Border Leafs
Leafs
VTEP MPLS Cloud
VLAN/VRF to VNI
Leaf switches: N9300, N9500, N5600 (Roadmap)

Spine switches: N9500,N9300, N7x00
BL Routers: N7x00 (Roadmap), ASR9000 (Summer 2015)
LISP handoff for Stand Alone Fabric (VXLAN)
N7K
NX-OS
7.2
Single Box Solution

IP Cloud
Border Spines RR RR
VNI to
Site Gateway (SG): VLAN/VRF/Instance-ID
LISP encap/decap
LISP signaling
BGP EVPN Control Plane
VXLAN Data Plane
Leafs
VTEP
VLAN/VRF to VNI
Leaf switches: N9300, N9500, N5600

Spine switches: N7x00
B Spines : N7x00 (Roadmap), ASR9000 (Roadmap)
Application Centric
Infrastructure (ACI)
Cisco ACI Logical Network Provisioning
Stateless Hardware
Web App DB
QoS Filter QoS

Outside
(Tenant VRF) Filter Service Filter
Cisco® ACI)Fabric
Cisco Application
Policy Infrastructure
Scale-Out Penalty-Free Overlay Controller (APIC)
Cisco ACI Network Profile
Policy-Based Fabric Management
• Extend the principle of Cisco UCS® Application

Manager service profiles to the entire
fabric
• Network profile: stateless definition of Storage Storage
application requirements
Web Tier App Tier DB Tier
− Application tiers
− Connectivity policies The Network Profile Fully Describes the Application
− Layer 4 – 7 services Connectivity Requirements
− XML/JSON schema ## Network Profile: Defines Application Level Metadata (Pseudo Code Example)
• Fully abstracted from the infrastructure <Network-Profile = Production_Web>

<App-Tier = Web>
implementation <Connected-To = Application_Client>
<Connection-Policy = Secure_Firewall_External>
− Removes dependencies of the <Connected-To = Application_Tier>
infrastructure <Connection-Policy = Secure_Firewall_Internal & High_Priority>
...
− Portable across different data center <App-Tier = DataBase>
fabrics <Connected-To = Storage>
<Connection-Policy = NFS_TCP & High_BW_Low_Latency>
...
ACI Nomenclature
Spine Nodes
Leaf Nodes
AVS
EPG “Internet” Service Producers EPG “Users”

EPG “Files”
Service Consumers
Application Policy Model and Instantiation
Application
Client
Application policy model: Defines
the application requirements Storage Storage
(application network profile)
Web Tier App Tier DB Tier
Policy instantiation: Each device

dynamically instantiates the required
changes based on the policies
VM VM VM VM VM VM VM
10.2.4.7 10.9.3.37 10.32.3.7
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
ACI Adoption – Network (Layer 2 and 3 Fabric)
• Common Commercial, Enterprise, SP Use Case
• Network Operations
• Network Automation Firewall Context 1 (Routed Mode) ASR 9000
• Any Subnet, Any Where
• Network Capacity and Bandwidth
With or Without VMM Integration
(NSSA)
VLAN D
•
VLAN D
OSPF
OSPF / iBGP
• L2 used for L4-L7 Integration
• Limited use of contracts L3 Ext Out
EPG EPG
FW_Out FW_Out
Context: IT_VRF
BD: IT_VRF BD
FW_out
Contracts required between

host EPGs and external EPG
GW GW GW
ACI Fabric
EPG Web EPG App EPG DB
Bridge Domain Settings (host BDs):

· ARP Flooding: disabled
· Unicast Routing: enabled
· L2 Unknown Unicast: flood
Bridge Domain Settings (FW_out BD):
Web Server App Server DB Server · ARP Flooding: enabled
· Unicast Routing: disabled
DC Fabric and WAN/DCI Integration Overview
No worry, I will
take care
• Control Plane: MP-BGP (EVPN AF),

APIC one session for all tenants
• Data Plane: VXLAN to MPLS
interworking
DC • Auto provisioning: DCI and WAN
Spine
WAN/DCI
Leaf Leaf bLeaf bLeaf
Integration
Next-gen ACI, Interworking SDN MPLS
VXLAN
Scalable, Resilient, Optimized, End-to-End
ACI with Nexus 7k and ASR 9k - DCI
Classical Handoff WAN

Mgr
• L2 – 802.1Q trunked VLANs
• L3 – iBGP/LISP/OSPFv2/Static VRF-
WAN/DCI
lite (802.1Q data plane) N7K/ASR9K
DME
• 4K VLAN ID space shared by L2 & L3
DCI L3: iBGP
handoff Spine
Per VRF VLAN IDs allocated for L3 iBGP VRF-lite N9500
peering
L2: Classical
Ethernet
802.1Q Trunks
(VLANs)
bLeaf Leaf
N9300 N9300
ACI to DCI integration and handoff normalization
Handoff Normalization WAN
Mgr
• Scalable Border-Leaf to DCI peering

Single Adjacency
WAN/DCI
L2 + L3 tenant host information N7K/ASR9K
DME
• MP-BGP Control Plane DCI MP-BGP/
• VXLAN Data Plane VXLAN
• Scalable Tenant Handoff Spine
N9500
• Automated Tenant Handoff
bLeaf Leaf
N9300 N9300
SD-Access Fabric
DNA Solution DNA Center
Cisco Enterprise Portfolio Simple Workflows
DESIGN PROVISION POLICY ASSURANCE
DNA Center
Identity Services APIC- Network Data
Engine EM Platform
Routers Switches Wireless Controllers Wireless APs
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is SD-Access?
Campus Fabric + DNA Center (Automation & Assurance)
 SD-Access –
APIC-EM
APIC-EM
2.0
1.X  GUI approach provides automation &
assurance of all Fabric configuration,
ISE NDP
management and group-based
policy.
DNA Center
Leverages DNA Center to integrate

external Service Apps, to
orchestrate your entire LAN,
Wireless LAN and WAN access
B B network.
 Campus Fabric
C CLI or API form of the new overlay
Fabric solution for your enterprise
Campus access networks.
Campus
CLI approach provides backwards
Fabric compatibility and customization,
Box-by-Box. API approach provides
automation via NETCONF / YANG.
APIC-EM, ISE, NDP are all separate.

Cisco Digital Network Architecture
DNA Overview
Network-enabled Applications
Cloud Service Management

Policy | Orchestration
DNA Center
Open APIs | Developers Environment
Automation
Insights &
Experiences
APIC-EM + ISE +Analytics
NDP
Principles Abstraction & Policy Control Network Data,
from Core to Edge Contextual Insights
Automation
Open & Programmable | Standards-Based & Assurance
SDA, IWAN & ENFV

Virtualization
Physical & Virtual Infrastructure | App Hosting
Security &
Cloud-enabled | Software-delivered Compliance
What is SD-Access?
Fabric Roles & Terminology
DNA  DNA Controller – Enterprise SDN Controller
APIC-EM
Controller (e.g. DNA Center) provides GUI management
Identity and abstraction via Apps that share context
Services
ISE NDP  Identity Services – External ID System(s)
Analytics (e.g. ISE) are leveraged for dynamic Endpoint
to Group mapping and Policy definition
Engine
 Analytics Engine – External Data Collector(s)
(e.g. NDP) are leveraged to analyze Endpoint
Fabric Border Fabric Wireless to App flows and monitor fabric status
Nodes Controller
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate  Fabric Border Nodes – A Fabric device (e.g.
C Nodes
Nodes (Underlay) Core) that connects External L3 network(s)
to the SDA Fabric
Campus  Fabric Edge Nodes – A Fabric device (e.g.
Fabric Edge Access or Distribution) that connects Wired
Nodes
Fabric Endpoints to the SDA Fabric
 Fabric Wireless Controller – A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric
SD- Access Branch Deployment Options
Campus Connectivity with MPLS
* Border is a CE device
CONTROL-PLANE
LISP PE-CE MP-BGP PE-CE IGP/BGP
B B
MPLS Domain
Campus
SXP Connection between the Border’s

for SGT information exchange
VXLAN+SGT MPLS with SXP for SGT exchange IP/MPLS + SGT
DATA+POLICY PLANE
SD- Access Branch Deployment Options
Campus Connectivity with MPLS
* Border is a PE device
CONTROL-PLANE
LISP MP-BGP IGP/BGP
B B
MPLS Domain
Campus
DMVPN or GRE Tunnel between the Border’s

for SGT information exchange
VXLAN+SGT MPLS IP/MPLS + SGT
DATA+POLICY PLANE
SD- Access Campus Deployment Options
Branch Connectivity with MPLS
Internet MPLS
ISR4451 ISR4451
vWAAS vWAAS
ASAv ASAv
5520 5520
WLC WLC
3850 3850 3850

Border Border Edge
C Plane C Plane Svc blk
3850
Edge
Fabric
Svc blk
3850 3850 3850 3850 3850 3850 3850

Edge Edge Edge Edge Edge Edge Edge
AP #CLUS BRKMPL-2114 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
SD- Access Campus Deployment Options
Branch Connectivity with MPLS
Internet MPLS
5520 5520
WLC WLC
ISR4451 ISR4451
C Plane C Plane 3850
E-Border I-Border Edge
vWAAS vWAAS Svc blk
ASAv ASAv 3850
Edge
Fabric Svc blk
3850 3850 3850 3850 3850 3850 3850

Edge Edge Edge Edge Edge Edge Edge
AP
Services Layer
Data Center 2
LB LB LB LB
Spine Spine
Leaf DCI Leaf

AS100 AS200
MPLS Cloud
WAN
End user
connecting via
Campus internet
Firewall Options
• Three options to consider
• Virtual Firewall (ASA 1000v) and VSG
• Virtualized services
• High scale
• Leverages vPath technology
• IOS Zone Based Firewall
• Router based
• Native routing
• ASA
• Purpose built hardware
• Advanced firewall and security features
• Next slides explore the ASA and ZBFW options

ASA FW + Fusion Router
• Fusion router: FW
Contexts
• Inter-VPN connectivity
• Shared resource connectivity VPN A Fusion
VDC
• Internet, servers, etc. VPN B I-Net
• ASA contexts: VPN C
• VPN isolation / protection VPN D
• Per VPN policies: ACL, NAT … Shared

Services
• 256 contexts per FW
• Map to VLANs
Context functionality available on the
ASA
Now With the DC Fabric
Core
SLB local to server VLANs
Firewall
Trunk Server SLB Firewall

VLANs to SLB
SLB Def. Gateway
L2 VLAN
Fabric
L2 VLAN
Common VRF A VRF B

Default Gateway L2 VNI
Services Default Gateway
Servers DMZ/PCI
Zone Based Firewall w/ASR1000
• Hardware Based Performance
FW
• IOS Based Zone-Pairs Internal Link
• Zone-pair VPN A
• VRF-aware VPN B I-Net

Fusion
• Fusion VRF (Gray VRF in later slides) VPN C
VRF
VPN D
• Native MPLS Connectivity
Shared
• Per Zone Firewall Policy Services
VRF-Aware ZBFW
Cisco ASR1000: VASI Feature
• A point to point virtual link
• Internal to the router
• Connects two VRFs together
• Allows for direct peering

(IGP/BGP)
• Allows for ACLs, NAT, WCCP etc
• VRF aware firewall applied prior to

traversing the virtual link
Programmability &
Automation on Nexus
Switches
Overlay & Underlay Management
• Overlay manager Underlay API Overlay
• Provision VXLAN on Virtual and Physical end-points mgmt mgmt
• e.g. VTS
• NMS/EMS for Underlay management
• PoAP, Topology Discovery and Inventory, Telemetry, Physical 3rd Party Virtual
Image Management, etc. HW
• e.g. DCNM EVPN
• Loosely coupled VM
• API for information exchange OS
• Combine Underlay/Overlay management under single pane of

glass
Virtual Topology System (VTS)
Network-Centric Overlay Provisioning and Management System
VTS
VTF
Automated Overlay Seamless to Open Standards Scalable multi- Overlay

Provisioning Underlay Based tanancy Management
Network Centric Standalone Nexus RestFUL MP-BGP control Topology

group policy model 9K, Nexus 2K-7K Northbound APIs plane Discovery
Network Centric Software and Multi-protocol Physical and Virtual Manage Overlay
Services hardware VTEPs support device support resources
Service Chaining Third-Party (Future) Multi-Hypervisor High performance Overlay

virtual forwarding troubleshooting
Manage Multiple Fabrics from one DCNM
FP/DFA VXLAN-EVPN
One DCNM for multiple Fabrics and Fabric-Types

Choose Among Multiple Fabric-Types
DCNM shows what Fabric Types are available
DCNM 10 Fabric Management Views
POAP Device Mapping Pod Visualization / Cable Plan
VXLAN Overlay, Search VM Dashboard Integration
DCNM & Cisco Prime Configuration Templates
 Create configuration
template using simple
template language
 Define Variables for devices

and build configuration
 Preview configuration before

applying
Cisco Prime also supports template based
configuration for N7K  Reduce manual errors
NXAPI – Providing programmatic access to Nexus switches over HTTP/S
(returns output in easy to read JSON format)
#Your python code
#!/usr/env python JSON-RPC/JSON/XML
import json Request/response format
import requests
url =
"http://172.25.91.139/ins"
HTTP/S
payload = [{'jsonrpc': '2.0',
'method': 'cli', 'params': jsonrpc request/response
['show version',1], 'id': '1'}]
HTTP/S
………
NXAPI web server

Switch# conf t Nexus
Switch(config)# feature nxapi
9K/7K/6K/5K
Switch(config)# exit
NXAPI SandBox Useful for both
Configuration and
verification scripting
Show bgp VPNv4 Unicast Summary

Show mpls ldp neighbor
Show ip route vrf vrf1
Ping 10.1.0.1 vrf vrf1
import json "jsonrpc": "2.0",

url='http://YOURIP/ins' "result": {
switchuser='USERID' "body": {
switchpassword='PASSWORD' "TABLE_vrf": {
myheaders={'content-type':'application/json-rpc'} "ROW_vrf": {
payload=[ "vrf-name-out": "default",
{ "vrf-router-id": "192.168.0.1",
"jsonrpc": "2.0", "vrf-local-as": "100",
"method": "cli", "TABLE_af": {
"params": { "ROW_af": {
"cmd": "sh bgp vpnv4 unicast summary", "af-id": "1",
"version": 1.2 "TABLE_saf": {
}, "ROW_saf": {
"id": 1 "safi": 128,
},
Pulling the Building Blocks Together
WAN
MPLS
Fabric
Firewalls
Design Case Studies
Case Study
MPLS Layer 3 VPN – Multi-POD
• Requirement: Global
Interconnect Campus
 Secure Segmentation for Hosted / Enterprise Data

/WAN
Internet
Edge
Centers or Campus networks via MPLS VPNs
• Solution:
MPLS
 One MPLS network infrastructure for all services
 MPLS PE boundary in POD EoR/ToR access/
aggregation layer L3
 Below MPLS boundary: L2
L2 or L3 (VRF-lite with PE-CE)
Layer-2
 Direct PE-PE or PE-P-PE networks
 Scaling POD architecture without operational
POD POD POD
overhead using Fabric Extenders
Case Study
MPLS Handoff for vPC Fabric
MPLS WAN
DC Design of a Large
Enterprise in India N7700 core switch
Aggregating 3 floors
MPLS
Intra-DC MPLS
Cloud
N7700 HSRP
Floor Aggregation MPLS PE
Switch
L2
Double sided
Spine Server Hall vPC Spine Server Hall
N9500 N9500
Double sided Double sided
vPC vPC
Leaf Leaf
N9300 N9300
4 Server Hall
20 Hosts 20 Hosts 20 Hosts 20 Hosts
per floor
Case Study
MPLS Handoff for FabricPath Fabric Building-2
Building-1
VSS Active VSS Standby VSS Active VSS Standby
• Design of a large European university
• Requirement of separating departments and

Cat6800 40G 40G Cat6800
maintain it across campus & Datacenter
MPLS
• Datacenter built with FabricPath P P
N7K
F3
Campus
Core
• Enabled MPLS VPN on DC edge switch and
Campus core switch for end to end N7K PE PE

F3
VPC+
segmentation from campus to Datacenter.
5K VPC
VPC
DC
Case Study
MPLS Handoff for Standalone Fabric
(FabricPath)
AS65000 AS65001
• DC Design of a leading
natural gas and oil N6004
producer from North Spine
America MP-iBGP Control MP-iBGP Control
Plane Plane
• L3 DCI for Standalone N5672 FabricPath DataPlane Border Leaf FabricPath DataPlane
Leaf N7700(F3)
Fabric(FabricPath) with
N7700 (F3) Linecard
MPLS WAN
AS1001
MPLS to VXLAN Customer Deployment N7K
NX-OS
7.3
MPLS VPN
RR
iBGP VPNv4
IP Cloud
Border Spines
VNI to MPLS
BGP EVPN Control Plane VPN/VRF
VXLAN Data Plane
Leafs
VTEP
DC 1 DC 2 DC 3
VLAN/VRF to VNI
Leaf switches: N9300, N5600
Spine switches: N7x00,
MPLS Routers: ASR9K
Case Study
Design Option Leveraging FabricPath
Zone Based Design
CORE
LB
LB
• Segmentation by separating vPC or FP
default gateway
LB
vPC or FP
LB
• Each segment considered a Default Gateway Default Gateway
Zone
Zone1 Zone2
• Each Zone has unique FWs

and LBs Spine Layer (N7k)
FabricPath Only
• Can leverage VDCs

• Simple FabricPath
Case Study
Design: Firewall Placement w/Virtualization
Option1 Option2
CORE MPLS
LB
LB
Default Gateway
Spine Layer (N7k) Default Gateway
Spine Layer (N7k)
F2e
Case Study
Option1: Traffic Flow
CORE CORE
LB LB
LB LB
Default Gateway Default Gateway

Spine Layer (N7k) Spine Layer (N7k)
Inter
VRF
Intra
VRF FabricPath FabricPath
Case Study
Option1: Solution w/ASA Cluster
CORE
• Use ASA cluster for firewalling
Inside Outside
• One ASA context per virtual LB

segment
• Scale up by growing ASA cluster LB
and add additional clusters Default Gateway
• VRF or VDC sandwich design

Spine Layer (N7k)
• Core layer is simple. No VRFs.

• Traffic symmetry is automatically handled FabricPath
by ASA cluster
Virtual Firewall per VRF
• VDC or VRF Sandwich Design
• Virtual firewalls assigned to VRF VDC-Agg VDC-Agg
by VLAN association
• One pair of physical or virtual firewall Active/Standby
VRF C
per VRF VRF B
• Each firewall requires two VLANs; VRF A

inside and outside
• Firewall in transparent or routed mode VDC-Sub-Agg VDC-Sub-Agg
• Can be made simpler by delegating default

gateway functionality to the firewall
Sample VRF w/ASA
Default Gateway
Case Study
Option2: Traffic Flow
MPLS MPLS
Inter
VRF
Intra Default Gateway

Spine Layer (N7k)
Default Gateway
Spine Layer (N7k)
VRF F2e F2e
Comparing Options
• Option1: ASA Firewall
• Scales up by way of distributing customers to firewalls and leveraging clusters
• Stateful HA
• Purpose built hardware
• Management tools
• Inter-VRF traffic flow leverages spine layer
• Option2: ASR1k ZBFW:
• MPLS attached
• Additional services like NAT and WCCP
• Hardware forwarding
• No concerns about trunking VLANs
• There is absolutely nothing wrong with going with either option. The choice is dependent on
many factors such as requirements, comfort level with product, management and
operations etc.
Option2: Zone Based Firewall (ZBFW)
ZBFW ZBFW
ASR1k Hardware Performance
QFP
• QFP
• Native MPLS Attachment

• VRF-Aware
• Attach Anywhere with
MPLS Reachability MPLS
Option2: ZBFW w/VASI Details
• Native MPLS termination ASR1k
• Gray VRF interconnects Gray
VRF
tenant VRFs vasi
• Leverage VASI BGP or OSPF
Over VASI
vasi
• Each ‘tenant’ gets a security
policy zone-pair
VR
Fs
• NAT possible and 100
-19
WCCP Possible on VASI 9 Per-VRF
Security Policy Applied Before
Traversing VASI
LDP
MPLS
Option2: Firewall Design w/Zone Based Firewall
• Redundancy by way of routing Services VRF
• Active/Standby
• Leverage metrics vasi Gray
Gray
vasi
VRF
• Limiting factors: VRF
• Throughput
VR
• Number of connections
9
Fs
19
10
0-
0-
10
• Number of conn/sec 19
Fs
9
VR
MPLS
• Per-VRF loadbalancing
• N+1 redundancy
• Very scalable design
• Grow as you go
• Scalability is additive
• Second Gray VRF for further

segmentation
• Same logic as before
• Per-vrf loadbalancing
• Grow as you go
Inter-DC Flow Connectivity
• Symmetric traffic flow is critical
Inter-DC: Different VRFs Inter-DC: Same VRF
Gray VRF Gray VRF

FW-DC1
WAN Core FW-DC2 WAN Core
Supernet or Supernet or
Defaultr oute Defaultr oute
DC1 DC2 DC1 DC2
Cust1_VRF1 Cust1_VRF2 Cust1_VRF1 Cust1_VRF1
Case Study Inter-VRF Firewalls
ALG ALG
QFP QFP
• Spine/leaf architecture MPLS

• FabricPath for L2 multi-pathing ASR9k
ASR9k
ASR9k
ASR9k
• No spanning tree
• Default gateway at spine layer
• ASR1ks w/ZBFW for firewall layer Default Gateway
Spine Layer (N7k)
• Nexus 5k/2k at the access

F2e
FabricPath
How do I Scale Up?
QFP QFP QFP QFP QFP
Firewall Layer
Route Reflector MPLS Route Reflector

QFP QFP
P-Layer
MPLS MPLS
MPLS
PE Layer PE Layer
FabricPath FabricPath FabricPath
WAN Design
WAN Requirements
• Highly available
• IGP reconvergence or instability should not affect other DCs
• Minimize state in the WAN
• Add/remove data centers without network outage
• Connect DCs with fiber, leased lines and encrypted tunnels
• Traffic engineering
A WAN Core Layer – Dual Plane
• IGP Isolation between each plane
• Isolate topology changes
• Flexible topology
• Highly redundant
• Similar to two provider environments
• Traffic Engineering
Back to Design ALG
Inter-VRF Firewalls
QFP QFP
ALG
MPLS
• WAN Core routers are co-located in ASR9k
ASR9k
major DCs WAN1
ASR9k
Core1
ASR9k
Core2
WAN2
• DC Core routers connect directly to

WAN core routers
• No connection between WAN core routers Default Gateway
Spine Layer (N7k)
F2e
FabricPath
A WAN Core Layer – With Inter-AS
• DCs connect using dark fiber, GRE,
or leased lines
• The IGP used in the WAN core is separate
• DCs peer to the WAN core using eBGP
• Inter-AS option C
• Only feed infra routes to WAN Core
• VPN exchanged between RRs at
each DC
• Advantages:
• Scale & Flexibility
• IGP Isolation
• Adding/removing DCs is seamless
• High level of HA
Summary
• CLOS Architecture for Scale and Flexibility
• FabricPath for any VLAN Anywhere in

the DC
• Spine layer with Integrated MPLS PE
• Firewalls Native Attached to MPLS
• Scalable Architecture
• Grow as you Go
• Highly Flexible WAN that Scales and Highly

Redundant
• Flexible Growth with Multiple DCs
A 6 Geo Example
A 6 Geo Example
Key to Layout
Big Picture
Lessons Learned - 1
• Fabric Scale
• MAC, SVI and VLAN limits
• Topology size (number of switch-IDs) and links
• Active/Active HSRP
• Requires either vPC or GLBP today
• Anycast HSRP in the 6.2 release. Requires a new release on the N5k (roadmap)
• Hardware Choices
• FabricPath vs VXLAN vs ACI
• MPLS Handoff
• Inter-AS option C on ASR9k today
• Firewall design
• Asymmetric routing challenges with ASR1k. Requires BGP metric
• DC to DC flows with symmetry. Requires supernet routes
Lessons Learned - 2
• Inter-AS
• Option C not supported on N7k yet (roadmap)
• GRE: MTU requirement
• Routing over VASI:

• OSPF and iBGP were possible options over VASI initially
• eBGP support with local-AS/Remote-AS support in 3.7.2 release on the ASR1k
• Deciding on which routes to advertise from Gray VRF requires BGP filters
• MPLS PE placement
• VRF-lite harder to manage and operate
• Direct handoff to the Nexus 7k or the ASR9k makes the design simpler
• Virtual firewalls, like the vASA, would make an interesting solution
MPLS Sessions at Cisco Live
• BRKMPL-1100 Introduction to MPLS
• BRKMPL-1102 MPLS Enterprise Switching Product Update and Designs
• BRKMPL-2100 Deploying MPLS Traffic Engineering
• BRKMPL-2102 Designing MPLS-based IP VPNs
• BRKMPL-2108 Designing MPLS in Next Generation Data Center: A Case Study
• BRKMPL-2110 Enterprise MPLS - Customer Case Studies
• BRKMPL-2115 MPLS Architectural approaches for Data Center and Cloud
• BRKMPL-2333 E-VPN & PBB-EVPN: the Next Generation of MPLS-based L2VPN
• BRKMPL-3124 Troubleshooting End-to-End MPLS
• LTRMPL-2104 Cisco WAN Automation Engine (WAE) Network Programmability with Segment Routing
• LTRMPL-3102 Enterprise Network Virtualization using IP and MPLS Technologies: Advanced
• TECMPL-3200 SDN WAN Orchestration in MPLS and Segment Routing Networks
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
#CLUS Presentation ID © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
#CLUS Presentation ID © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Thank you
#CLUS
#CLUS

MPLS

Uploaded by

Copyright:

Available Formats

MPLS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MPLS

Uploaded by

Copyright:

Available Formats

#CLUS

Minhaj Uddin, Technical Marketing Engineer

Webex Teams will be moderated cs.co/ciscolivebot#BRKMPL-2114

 Understand the technical building blocks

 Understand different designs and use cases and

• Network Segmentation (w/o

• Role-based Access Control (w/o

• Common Policy for Wired and

• Consistency Across Campus, WAN

 Virtual FW/LB per tenant

• Creates independent and separate IPv4 and IPv6

Not easy to manage with large number of

Provider Tunnel Tunnel Provider

Border Leaf Border Leaf

Leaf DCI Leaf

Multi-tenant Fabric Multi-tenant Fabric

DC Edge Router DC Edge Router

 Connecting multi-tenant DCs

 Better Policy Control & Security

 WAN managed by other Vendors

MP-eBGP for VPNv4

IGP Label GRE Header IGP Label

Border Leaf Border Leaf

Leaf DCI Leaf

Multi-tenant Fabric Multi-tenant Fabric

DC Edge Router DC Edge Router

Modernized Operating System L2 & L3 Wire-rate Any Hypervisor

Broad and Deep Ecosystem

AS300 Inter-as Option B

Fabric Workload Optimized Virtual Fabrics

Bundled' functions'are' Modular,'Flexible' and'follows'

Fabric Host/Subnet MP-iBGP Control Plane External Subnet

Inter-AS Option A Inter-AS Option A

Fabric Host/Subnet BGP EVPN Control Plane

MAN/WAN iBGP Adjacencies

 Overlay technology with IP underlay

Distributed Anycast Gateway

Layer 2 and Layer 3 Multi-Tenancy

Spines RR RR Two Box Solution

BGP EVPN Control Plane

Leafs Border Leafs

Leaf switches: N9300, N9500, N5600 (Roadmap)

Single Box Solution

BGP EVPN Control Plane VNI to VLAN/VRF

Leaf switches: N9300, N9500, N5600 (Roadmap)

Single Box Solution

Leaf switches: N9300, N9500, N5600

QoS Filter QoS

• Extend the principle of Cisco UCS® Application

• Fully abstracted from the infrastructure <Network-Profile = Production_Web>

EPG “Internet” Service Producers EPG “Users”

Policy instantiation: Each device

10.2.4.7 10.9.3.37 10.32.3.7

Contracts required between

Bridge Domain Settings (host BDs):

• Control Plane: MP-BGP (EVPN AF),

Leaf Leaf bLeaf bLeaf

Classical Handoff WAN

• Scalable Border-Leaf to DCI peering

DESIGN PROVISION POLICY ASSURANCE