Tim Shotton
Principal Consultant - Enterprise Networks | CCNP Enterprise
- Report this post
Cisco SDA L2VNI.. What is it and why is it needed? 💭As we move away from traditional layer 2 campus topologies, I’ve mentioned previously that this presents issues with current layer 2 domains being able to be maintained for endpoints that may not be easily re-IP addressed or maybe requires layer 2 adjacency with other devices on the segment. SDA addresses this issue through the use of an overlay technology, VXLAN, which through the use of encapsulation allows layer 2 to be extended over layer 3 routed networks. This is great. However.. What if you currently have a gateway for one of the VLANs that get migrated into SDA placed on a firewall for increased east/west visibility of devices and some extra security for this particular VLAN? This is where Layer 2 Virtual Network Identifier (L2VNI) comes in. In SDA, L2VNIs are similar to a layer 2 VLAN, so get created in Catalyst Center (formerly DNAC) as a purely layer 2 pool, rather than an L3VNI with an anycast gateway. By creating an L2VNI pool and mapping it to the legacy VLAN ID (VLAN 1234 in the case of my lab), we can extend the VLAN from the fabric edge switch into SDA as a LISP instance ID is created and mapped to the VLAN ID. This traffic gets forwarded through the fabric via the underlay multicast. This will allow the layer 2 traffic to traverse the fabric and out to the destination in the layer 2 switching domain. Note - STP packets do not traverse the fabric so the spanning-tree domain ends at each fabric switch where it is presented. In my example lab, the gateway of VLAN 1234 is presented on a pair of firewalls in an active/standby setup. To ensure a resilient design, both firewalls attach into the fabric via a different fabric edge switch and the active firewall presents the gateway IP for the subnet. Should the active firewall fail, the traffic will use the redundant path. Only active/standby paths to external gateways are supported at this time in Catalyst Center. This could also be achieved through the use of layer 2 borders but there are limitations with these that may make it harder to achieve a resilient design. I don’t believe there is a right or wrong way when it comes to layer 2 extension from SDA, it just comes down to which design choice fits best with the desired outcomes. A good post about L2VNI can be found here - https://lnkd.in/eZZCqNPt
-
+1
45
To view or add a comment, sign in
More Relevant Posts
-
Tim Shotton
Principal Consultant - Enterprise Networks | CCNP Enterprise
- Report this post
A trip to Liverpool on Saturday turned out to be the world’s saddest Easter egg hunt for me.. Spotting Baltic Broadband / Matt Wilson fixed wireless access solutions across the city 😂This just goes to show the power of branding I guess, once you’ve seen the red ‘Baltic Broadband’ sticker on a Ubiquiti Nanobeam once, you don’t stop seeing it! 😅Some really cool connectivity solutions coming from these guys 🤓
27
3 Comments
Like CommentTo view or add a comment, sign in
-
Tim Shotton
See AlsoTCLP LAUNCHES NEW ULTRA-FAST BROADBAND INTERNET SERVICE- TCLPfiber - Traverse City Light & PowerTraverse City, MI, 9-1-1 System HackedKTVU Mornings on 2: The Nine : KTVU : July 3, 2024 9:00am-10:01am PDT : Free Borrow & Streaming : Internet ArchiveHagerty Announces Expiration and Results of Warrant Exchange Offer and Consent SolicitationPrincipal Consultant - Enterprise Networks | CCNP Enterprise
- Report this post
Been a busy one this week 😮💨Started off migrating perimeter services over from some legacy core Nexus 7710s onto some new Catalyst 9500-32Cs for a customer. A mid-week date day with the wife to celebrate our 2nd wedding anniversary and wrapped it up by migrating some ACI L3outs (and upping them from 40G too 100G) to the 9500s along with some failvover testing to ensure those new core switches behave how we expect them to during failure scenarios!Some multi-domain SDA/ACI/WLAN macro-segmentation testing to look forward to next week ahead of migrating a patient bedside monitoring system into SDA in the coming weeks. Now to carve some time out of the weekend back to working my way through Narbik Kocharians CCIE lab workbook!Happy Friday Folks 🥳
62
6 Comments
Like CommentTo view or add a comment, sign in
-
Tim Shotton
Principal Consultant - Enterprise Networks | CCNP Enterprise
- Report this post
How do you migrate a hospital network from old to new?Just like teaching my toddler how to make me a flat white, really f*cking carefully. Some interesting stats you may not have thought about before.. The 9s of availability. What does this 99.999% uptime actually mean?99% = 3d 14h 56m 18s downtime per year 99.9% = 8h 41m 38s downtime per year 99.99% = 52m 9.8s downtime per year99.999% = 5m 13s downtime per yearWhen planning migrations to move to a new network, it is important that the network stays as available as possible throughout the project.This can be achieved using various methods depending on the network. In most cases where entirely new kit has been purchased and the environment allows, it is possible to stand up a new core, SDA fabric and ACI fabric in parallel to the legacy network and devices will be migrated over. This causes potential issues where layer 2 networks are being migrated to layer 3 routed designs.. How do you maintain that layer 2 extension for the period of migrations? In the SDA campus, we want to use as big of a data pool as possible for ordinary endpoints to migrate into but this isn’t always possible for some subnets. There may be devices that have static IP addresses and it is too costly to pay the 3rd party supplier to re-address these so the subnet has to move into the fabric (Other reasons also exist). Once the gateway is moved into the SDA fabric and becomes an anycast gateway it can’t coexist in the legacy environment. We need to extend layer 2 back into the legacy network so all devices on the layer 2 segment can still communicate with the gateway and the devices inside the fabric until all have been migrated.. To overcome this, we make use of a dedicated layer 2 border which will hand layer 2 off to the legacy network. These pools will require layer 2 flooding within the SDA fabric during the migration period to facilitate BUM traffic. The layer 2 border will be removed once all migrations are complete and layer 2 flooding will be switched off in these fixed subnet pools.A similar technique is used in ACI. We create L2outs which are effectively a trunk between a border leaf switch and the legacy network. This allows the layer 2 domain to be extended to the legacy environment as we migrate servers into the fabric. Bridge domains are created (Think of this as a VLAN) and enabled for flooding within the BD to allow BUM traffic to extend to the legacy network from endpoints within the fabric. Gateways are migrated into the fabric by enabling the bridge domain for layer 3 and L3outs are selected to route this traffic out of the fabric. The L2outs are removed once all servers have been migrated.Using these techniques allows us to migrate endpoints to the new network as seamlessly as possible maintaining that network availability across the hospital. There’s a lot to consider and a lot of gotchas waiting for you to add that little bit of extra stress to a change 🤣
37
Like CommentTo view or add a comment, sign in
-
Tim Shotton
Principal Consultant - Enterprise Networks | CCNP Enterprise
- Report this post
I’ve seen my LinkedIn network grow a fair bit in the past few weeks and as I now scroll my feed, it’s amazing to see the amount of knowledge out there amongst the network engineering community. I’ve not been one to focus on the ‘other’ type of networking before, often siloing myself into a hole, but I am starting to see the power of just interacting more with others for sure. Really enjoying connecting with others, and hopefully surrounding myself with as much knowledge as I can will pay off with my own development! Happy Thursday✌🏻
Like CommentTo view or add a comment, sign in
-
Tim Shotton
Principal Consultant - Enterprise Networks | CCNP Enterprise
- Report this post
Testing, 1, 2, 3 ‼️As the great Jeremy Cioara once said, two is one, and one is none when it comes to network resilience.Before we can enter any new kit into production, we have to be sure it will behave as expected and ensure that is configured correctly. How do we do this? Test, test and test.One of the most fascinating things I found as I got into network engineering was fault tolerance and convergence. That fascination grew more as I progressed through topics.. HSRP, nice.. OSPF, okay cool.. EIGRP, wow that was quick.. BGP.. Ermmm, feels like things have been down for a while.. Oh wait, this thing called BFD exists, boom, that’s quick.. Hospitals require as close to an always-on network as possible and that is achieved within the campus in several ways. Using Cisco SDA, we are able to make use of anycast gateways within the fabric, no need for FHRP here! From each fabric edge switch, we use a minimum of 2 uplinks to separate intermediate switches and through the use of ECMP using IS-IS along with BFD, we achieve sub-second failover should we lose an uplink or an uplinking switch. Moving up to the Fabric Border layer, these utilise BGP to handoff prefixes to the network external to the fabric. By design, BGP is a slow protocol to converge. As an exterior gateway protocol, BGP wants to be sure the network is stable rather than converging as quickly as possible. A link flap within an OSPF area causes an SPF calculation across the entire area.. You wouldn’t want that to happen across the internet right?! The internet is never really converged.. Within the campus however, we want quick convergence here, so we utilise BFD across every BGP peer to ensure a link going down or losing a switch will result in once again, a sub-second failover.. It is imperitive that failover scenarios are tested thoroughly and tested against various different failure causes. This is key to knowing the network will behave as predicted and give you re-assurance that your network will keep running smoothly in the event of maybe even a whole DC room outage as the other room will keep you going! There are other areas where the “two is one and one is none” phrase comes in..- 2 DC rooms, not one- 2 power feeds, not one- 2 power supplies, not one- 2 geographically separate fibre runs between DCs, not one - 2 ISPs using different circuits, not oneI think you get the drift? Obviously, achieving resilience is always a balance between cost and risk.. While a small branch might not need full redundancy, a hospital absolutely does. This is the importance of correct network design and finding the right solution for the business’ needs.
350
15 Comments
Like CommentTo view or add a comment, sign in
-
Tim Shotton
Principal Consultant - Enterprise Networks | CCNP Enterprise
- Report this post
Make network engineering cool again! 🤓That’s a pretty common sentence I keep seeing in LinkedIn posts recently and it got me thinking, what made me think network engineering was a cool career? I think a lot of network engineers end up in this career accidentally and I am no different.. Back when I was a break/fix field engineer, I one day volunteered to help with an office move which happened to involve some repatching in a comms room.. I’d never been in one before and as soon as I entered I remember being mesmerised by all of the green flashing LEDs and thought THIS IS COOL. After a closer look at the switches I found the Cisco logo, did some research, immediately started studying for my CCNA (that same night) and the rest is history! A visit to one of our customer data centres a few weeks back brought this super simple ‘cool’ feeling back as I entered while the lights were off.. I couldn’t help but take a picture 😅Something so simple set off a chain reaction to lead me to a career that I didn’t even know existed! I know college courses offer networking as a part of computer studies these days but I can’t help thinking every school should include a visit to one of their comms rooms as part of ICT lessons and a brief introduction at least, to the world of networking.. After all, all the ‘cooler’ IT careers all require the same thing to work.. A network! I’m always so intrigued to hear how everyone else ended up on this path 🤔
48
Like CommentTo view or add a comment, sign in
-
Tim Shotton
Principal Consultant - Enterprise Networks | CCNP Enterprise
- Report this post
Failure to Launch 🫣Since I started studying networking, from my first CCENT exam to my most recent ENARSI exam, my biggest challenge has been getting started…I believe many learners face this issue. However, I've recently become better at minimizing distractions and overcoming procrastination. A key takeaway from reading "Atomic Habits" is that it's easier to make distractions more effortful to engage with than to rely on sheer self-control to resist them.Here are some strategies that work for me:- Notifications: Off- Phone: In another room- Music: MinimalistWhen I apply these methods, I'm always amazed at how deeply I can focus on my studies or work.And of course, I'm using my Pomodoro break to write this post, not procrastinating, I promise!
84
6 Comments
Like CommentTo view or add a comment, sign in
-
Tim Shotton
Principal Consultant - Enterprise Networks | CCNP Enterprise
- Report this post
As the networking landscape is evolving rapidly, it’s becoming increasingly more apparent that the network engineer role as we once knew is changing to be more of a solutions engineer.. No longer can the sole focus of our role be just routing & switching, we need much more awareness of the whole solution stack.. So this weekend I have been delving into ISE more than I have done before and looking at the micro segmentation abilities of SDA rather than just the macro segmentation that I am used to configuring previously.So far in my lab, I have integrated ISE into Catalyst Center and configured dot1x to authenticate my clients onto the network and configured GBAC to use the SGT matrix in Catalyst Center and I can see the matrix update in ISE. On the agenda today is to get TrustSec working and ensuring the clients are receiving the correct SGT and policy is assigned and then test connectivity between endpoints!
31
Like CommentTo view or add a comment, sign in
1,086 followers
- 69 Posts
View Profile
FollowExplore topics
- Sales
- Marketing
- Business Administration
- HR Management
- Content Management
- Engineering
- Soft Skills
- See All