DNA
- SDA + DNA Center + ISE
- DNAC: controller + network data platform (NDP)
- controllers must be close – difference from ACI (< 100 ms)
- DNAC RTT = 10 ms
- DNAC-ISE RTT = 200 ms
- DNAC-WLC, DNAC-edge RTT = 100 ms
- 3 controller in cluster
- controls infrastructure using SSH
- controllers must be close – difference from ACI (< 100 ms)
- functions
- automation
- monitoring
- assurance
- policy is exchanged with ACI via SXP: SGT-EPG mapping
Underlay
- mcast SSM or headend replication for BUM
- IPv4 only
- MTU 9100 (supported by all platforms)
- cluster, services subnet – /21 private address
Overlay
- LISP + VXLAN-GPO (includes CTS)
- LISP AD = 250
- edge nodes
- border node
- internal
- external
- control node: LISP MS
- policy enforcement – egress
- interface in overlay – fast switching (not CEF), to trigger LISP
- only static RP: ASM, SSM
- IPv4, IPv6
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Rsv |A|Rsv|D| Reserved |G| CTS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VNI | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
G: 1 ≡ CTS enabled
D: 1 ≡ don’t learn source address on egress VTEP
A: 1 ≡ policy already applied
Control node
- up to 6 nodes; if several, edge/border must sent data to every control node; no sync between control nodes
- redistribute between LISP and BGP (aggregate up to pool)
- aggregate is sent to border via iBGP
- LISP instance per VRF and per VNI (≡ VLAN) ⇒ route leaking is impossible because processes do not communicate
- if existing EID is registered, sends map-notify to old RLOC
(config-router)# router lisp
(config-router-lisp)# site <SITE>
(config-router-lisp-site)# eid-prefix instance-id <N> <PREFIX> accept-more-specifics
Border node
- configured for all pools in LISP: trigger resolution for prefixes from iBGP
- if colocated with control node, prefixes from LISP are installed in RIB
- optionally redistributes external prefixes into map-cache as local EID
- PIM RP for overlay, MSDP for anycast
- requires VRF-lite because of LISP: external VRF cannot communicate with LISP from other VRFs
(config)# router lisp
(config-router-lisp)# eid vrf <VRF> instance-id <ID>
; export mapping to RIB
(config-router-lisp-eid-table)# ipv4 route-export site-registrations
; export MSDB entries to cache
(config-router-lisp-eid-table)# ipv4 map-cache site-registration
; AD, 10 default
(config-router-lisp-eid-table)# ipv4 distance site-registrations 250
; prefix in CEF triggers LISP
(config-router-lisp-eid-table)# map-cache <PREFIX> map-request
Edge node
- endpoint discovery: IPDT
- DHCP, NDP, ARP snooping
- LISP dynamic EID detection
- send ICMP once per 60s
- packet from unknown endpoint is received – trigger ARP + ICMP instead of flood
- silent hosts not supported, they require L2 flood
- dynamic EID is lost
- send 3 ICMP with 1s interval
- does not trigger LISP deregistration
- ARP: proxy using LISP
- no bcast ARP in overlay, only to local ports
- sends unicast ARP to RLOC
- BUM is still forwarded via mcast
- EID = ARP PTA, RLOC = MAC
- registers in dynamic EID
- /32 IP EID
- MAC EID
- IP-MAC mapping: address resolution table
- anycast GW: IP + MAC (ba25.cdf4.ad38)
- ETR enforces SGT policy
- CP_LEARN action in CAM
(config)# device-tracking tracking
; trigger LISP within same VNI
(config-if)# ip route-cache same-interface
; reply with own MAC to all ARP or send request to MSMR to transform ARP into unicast
; later ARP updates host with appropriate MAC
(config-if)# ip local-proxy-arp
Forwarding
- E1 discovers clients using LISP mobility within dynamic EID
- only control node can redistribute LISP → RIB and then RIB → BGP
- L3 traffic encapsulation (e.g., client traffic between border and edge): VXLAN VNI = LISP ID
- edge-AP VXLAN: carries SGT (assigned on AP via 802.1x)
- local proxy ARP was used earlier, not anymore (later ARP updates host with correct MAC)
- PC1 → PC2
- fast switching for connected subnet (LISP in lieu of CEF)
- E1 requests PC2 RLOC: IP + IP/MAC resolution
- E1 sends unicast ARP to E2
- BUM is forwarded within mcast VXLAN
PnP
- DTP enabled on all ports
- interface sends 8×CDP packets (1 pkt/sec) with TLVs on start up
- which VLAN to use for PnP
- SVI in VLAN 1 receives address via DHCP
- SVI is created after at least 1 trunk is brought up
- DNAC address
- DHCP: option 43
- upstream switch may itself add option 43, using DHCP snooping
- DNS: pnpserver
- later DNAC address is added as static route
- DHCP: option 43
- DHCP pool is created temporarily on seed device
- seed device must be managed by DNAC
- device inserts option 60 into DHCP with “cisco pnp”
- device registers itself on DNAC
- HTTP, XMPP
- not permanently active: if disabled, DNAC removes DHCP address from SVI 1
- re-add device ≡ write erase
; change SVI 1 to SVI N
(config)# pnp startup-vlan <N>
DHCP
- edge inserts option 82 with own RLOC: enables border to forward reply to correct edge (anycast GW)
- /32 loopback with anycast GW address on border: intercept DHCP replies and forward them according to option 82
- circuit ID 0x00040bb80607
- 00 suboption: vlan/mod/port
- 04: length
- 0bb8: VLAN 3000
- 06: module 6
- 07: port 7
- remote ID 0x030800100201c0a80106
- 03 suboption: LISP
- 08: length
- 001002: LISP ID 4098
- 01: IPv4 locator, 02: IPv6 locator
- c0a80106: 192.168.1.6,, RLOC
DNA Spaces
- location analytics
Wireless controller (WLC)
- control plane: CAPWAP
- data plane: VXLAN
- WLC uses proprietary LISP messages
- WLC registers client MAC with control node
- ETR = edge: it later registers L3 EID
- seamless roaming
- AP-to-edge link
- VXLAN encap: SGT marking transport (not enough to mark on edge because of 802.1x)
- WLC sends VNI and SGT for client to AP
- AP receives xTR (edge) address from WLC
- WLC first sends Query about RLOC for AP IP, RLOC address is used as VTEP
- WLC updates MSMR with radio MAC AP (RLOC = edge), MSMR updates xTR → trigger VXLAN tunnel config (is_AP = 1, bit in LISP message)
- AP IP is additionally encoded into Map-Reply for radio MAC
- client roaming: LISP mobility accelerate
- MSMR notifies old edge, new edge and borders
- old edge revokes registration
- new edge register endpoint
- other edges are not updates → stale info
- borders used to be not updated as well ⇒ preference to collocated control/border node
- policy is enforced by egress edge, not AP
- VXLAN encap: SGT marking transport (not enough to mark on edge because of 802.1x)
- 2 WLC per fabric
- active/standby
- fabric discovers AP using CDP and then triggers EEM to put port into INFRA_VRF ≡ global
- AP requests address via DHCP
- option 82: edge address, so that border could return reply to correct edge
- AP receives WLC address via DNS or DHCP
- AP access to WLC – via specific route, default not permitted (global RIB)
- WLC-AP RTT = 20 ms
- WLC-control RTT = 100 ms
- WLC → MSMR – TCP
- xTR → MSMR – UDP
- AP → WLC in underlay
- WLC → AP in overlay because of anycast GW: LISP resolution required to locate /32
Intelligent capture
- send statistics directly to DNAC without passing WLC (better data correlation)
- AirSense: SPAN on anomaly detection
ISE
- interaction with PAN
- ISE → DNAC: pxGrid
- DNAC → ISE: REST API
- when enabling integration, DNAC exchanges certificates via SSH
Assurance
- path trace: shows path through devices and issue location (e.g., ACL)
- AP can be a sensor (≈ client)
- trend tracking
- proactive issue detection
- anomaly detection
- failure breakout: event chain + display according to occurrence frequency (e.g., timeout during association)
- topology view
- collects client information + its location in topology
- recommended actions for troubleshooting
- health score + drill down the hierarchy
- event correlation
- heat-map for Wi-Fi