Cisco Multidomain for SDA,

SD-WAN and ACI

Automation with End-to-End Policy
Markus Harbeck Principal Architect CX EMEA
Germany
@mhgrisu
BRKXAR-2001

#CiscoLive
Cisco Webex App
https://ciscolive.ciscoevents.com/
ciscolivebot/#BRKXAR-2001

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space

4 Enter messages/questions in the Webex space

Webex spaces will be moderated Enter your personal notes here

by the speaker until June 7, 2024.

BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda
Multidomain

Borders and integrations

should be fluid

→ Where is the dog ?

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
LAN, WAN and DC automation let you focus on
what really matter

Note: this is only one Router

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
 1 Intro into SDA, SDWAN and ACI

2 The NNI and configurations

Agenda 3
Transits NNI & Policy across
domains

4 Summary

BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Short Hint:
“My English might be
bad
but although sexy”
Source: Henning Bornemann –
“Thank you for Deutsche Bahn”

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 Who is Markus Harbeck?
Personal
▪ Location: Eschborn, Germany (near Frankfurt) living in Bavaria
▪ Interests: My family, my two kids, my dog, horseback riding, motor cycling, hiking,
flying drones

My Background
▪ CLI Junkie since 1996 for all Routing and Switching
▪ Joined Cisco October 2010
ROUTING AND
SWITCHING
SECURITY DESIGN ▪ Before: 12 years, operations, engineering, application engineering
▪ Orchestration and Cross Domain
CCIE #8087 CCDE #20130015 ▪ Analytics, assurance, automation and migration projects

→ first guy who compared horses and (SDN) intend

My kids view on cross

domain network design

Copyright by Saskia Copyright by Hanna

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Inconsistent policies for user access to applications

Branch
Cloud IaaS
No out-of-box integration between
Cisco Secure platforms to share context about
Access users, devices, and applications

Campus SD-WAN
On-Prem ACI Cumbersome to implement
consistent policies for users and
SD-LAN devices access to applications
On-prem non-
Remote ACI

Policy Enforcement Points:

Inconsistent Policies

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
ISE (2.1+) and ACI Integration since 2016
Identity Services Engine No Policy Propagation
SXP (ISE)
REST API
(Policy Plane)
pxGrid

Catalyst Center SD WAN Manager APIC

Campus Branches
Web Web/A App DB
pp VRF, Site
Single Tenant,

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Intro
SDA, SDWAN
and ACI
 Who has the following challenges ?

Maintaining end-to-end segmentation within SD-WAN as transit option

Examples: SDA to SDWAN how can I transport my Group Tag
Multiple Instances

Applying and enforcing consistent policy constructs across enterprise

Examples: Maintaining the identity from the edge across IT

End to End Connectivity between SDA, SDWAN and ACI

Example: ensure NNI / Border hand off is being automated

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Do you remember ?

N etwork to N etwork I nterface

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Domains
Session Focus
Campus WAN Data Center

SD Access via
SD WAN ACI
Catalyst Center

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Some basics to
start with
 Cisco SD-Access
Fabric Roles & Terminology
▪ Network Automation – Simple GUI
Automation
Identity and APIs for intent-based Automation
Cisco ISE Cisco Catalyst Center of wired and wireless fabric devices
Services
▪ Network Assurance – Data Collectors
Assurance analyze Endpoint to Application flows
and monitor fabric device status
▪ Identity Services – NAC & ID Services
Fabric Border IP (e.g. ISE) for dynamic Endpoint to Group
Fabric Wireless
Nodes mapping and Policy definition
Controllers

▪ Control-Plane Nodes – Map System that

Control-Plane manages Endpoint to Device relationships
Intermediate
Nodes ▪ Fabric Border Nodes – A fabric device
Nodes (Underlay)
(e.g. Core) that connects External L3
network(s) to the SD-Access fabric
Fabric Edge Fabric Site ▪ Fabric Edge Nodes – A fabric device
Nodes Fabric Wireless (e.g. Access or Distribution) that connects
Access Points Wired Endpoints to the SD-Access fabric
▪ Fabric Wireless Controller – A fabric device
(WLC) that connects Fabric APs and
Wireless Endpoints to the SD-Access fabric

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Cisco SD-WAN Solution Overview

vManage

APIs
Management/
Orchestration Plane
3rd Party
vBond
Automation

vAnalytics

vSmart Controllers Control Plane

MPLS 4G

INET
WAN Edge Routers

Data Plane
Cloud Data Center Campus Branch CoLo

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 Data Center with ACI

ACI
Spines

ACI
Leafs

L4 -7
External L2 / L3 Servers Services
Border Leaf

Nexus dashboard
fabric controller
APIC Cluster

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 Compare the domains
SDA SD WAN ACI

Management Cisco Catalyst Center Cisco SDWAN Manager APIC

Control Plane LISP vSmart - OMP Coop - BGP

Based on RLOC Based on TLOC
Underlay (GRT) (VN 0)
ISIS - VTEP

Data Plane VXLAN IPSec / MPLS VXLAN

Macro VN VPN VN + Tenant
Segment Infra VN (GRT) + User VN VN 512 OOB + VN # Virtual Network
Micro SGT
Carries SGT
EPG
Segment Security Group Tag End Point Groups

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
NNI and
Configurations
The domains and NNIs
Campus SDWAN DC
Cisco Catalyst Center BranchSDA Cisco SDWAN Manager HQ APIC

DATA C ENTER 1

Border Leaf 1011

APIC

SD-WAN Fabric
Border Leaf 1012

EN
SVR Leaf
EN1 1011

BGP BGP
VRF-lite VRF-lite

802.1Q 802.1Q
SGT (16 bits)
VLAN ID (12 bits) VLAN ID (12 bits)

Inline Tagging

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
And firewall
DC
Firewall DATA C ENTER 1
APIC

To Border Leaf 1011

APIC

Campus Border Leaf 1012

WAN
etc SVR Leaf
1011

BGP BGP
VRF-lite VRF-lite

802.1Q 802.1Q
SGT (16 bits)
VLAN ID (12 bits) VLAN ID (12 bits)

Inline Tagging

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 Demo Topology
Campus SDWAN DC
Cisco Catalyst Center BranchSDA Cisco SDWAN Manager HQ APIC

DATA C ENTER 1

Border Leaf 1011

Ten0/1/1 APIC
Eth1/1
SD-WAN Fabric 8500R14
Border Leaf 1012
Ten0/1/1
Gi 0/0/24 VL 602 Gi 0/0/1 Eth1/1
22.2.13.74/30 22.2.13.73/30
EN
SVR Leaf
EN1 1011

Gi 1/0/13

22.2.13.76 22.2.253.3 22.2.253.4

VRF 1 VRF PROD:prod VRF PROD:prod
Ubuntu-Branch 1 Ubuntu-DC 1 Ubuntu-DC 2

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
SD Access
Cisco Catalyst Center SD-
Access Gi 0/0/2.301
1. Enable IP Transit to cEdge pick FIAB
interface, create VLAN and BGP AS Gi 0/0/1

VL301
2. Identify IP Addresses assigned by
Cisco Catalyst Center to configure
cEdge Parameters correctly
22.2.13.76
VRF 1
3. Check Connectivity and Routing Ubuntu-Branch 1
Table
4. Enable CTS propagate if required
5. Potentially SXP to Border Node if
you want to enforce on BN

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
SD WAN
Cisco SD WAN Manager Gi 0/0/2.301

1. Enable IP Interface to SDA Border, SD-WAN Fabric

create VLAN Sub interface and BGP Gi 0/0/1

AS VL301
WAN Edge
from IP parameter of Catalyst Center CI4k-cEdge4

2. Enable BGP and redistribute OMP

3. Advertise BGP into OMP
4. Check Connectivity and Routing
Table
5. Enable CTS propagate if required

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
ACI L3out L3out
APIC Border Leaf ACI
1. Enable L3Out on Border Leaf Fabric
WAN Edge 802.1Q

2. Enable eBGP and

3. Create Contract for external
communication
4. Check Connectivity and Routing
Table
5. Prepare Contracts
(keep in mind there is no inline tagging for SGT – EPG on
transit to ACI Border Leaf)

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Campus and WAN automation let you focus on
what really matter

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Demo
Domain - Basic
Configurations
Transit & Policy
across domains
 Virtual Network – Macro Segmentation
VN or VPN or VRF are maintaining a separate Routing table for each instance
• SDA Control-Plane (LISP) uses Instance ID to maintain
separate VRF topologies (“Default” VRF is Instance ID
“4098”)

• SDWAN uses VPN ID C

Known Unknown
Networks Networks

• Endpoint ID and / or prefixes are routed and advertised B B

within a Virtual Network

• VNs = VRFs = VPN maintain complete isolation within a VN VN VN

VRF Campus IOT Guest
E E E
• Default Policy:
within VN allow any to any
between VNs no communication (needs Fusion dev)

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 Security Groups – Micro Segmentation
Security Group Tag (SGT) is a logical policy C
object to “group” Users and/or Devices
Known Unknown
Networks Networks

B B
• Users / Nodes use “SGTs” to IP and assign a unique
Security Group Tag (SGT) to Endpoints SGT
SGT
SGT 4 SGT
17 8 25
SGT
• SDA Edge Nodes add a SGT to the Fabric encapsulation SGT SGT SGT 19 SGT
3 23 11 12

• cEdges (if enabled) transport SGT end to end E E E

• SGTs are used to manage address-independent

“Group-Based Policies” Contract / SGACL

• Edge or Border Nodes use SGT to enforce local Security

Group ACLs (SGACLs)

• SGTs with SGACL can permit / deny traffic within a VN Campus Users
VN
#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Security Group Tags (SGT) Classification
MAB = Mac Authentication Bypass
AD PassiveID ISE
Web Authentication
Classify
802.1x by eg supplicant (Cert, User etc)
Access

Static binding

By Port

By VLAN
SGT Binding
By IP Subnet

By IP Address
#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Demo
ISE SGT and
Policies
ISE (3.4+) Common Policy
Identity Services Engine
SXP (ISE)
Policy Plane
REST
pxGrid API/pxGrid

Catalyst Center SD WAN Manager APIC 6.1+

Campus Branches
Web Web/A
App DB
pp VRF and Site
Multi Tenant,

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
IP Transit (VRF Light) for
SD WAN and ACI Border Leaf
172.16.0.1/32 192.168.1.1/24

SDA B C Border Leaf 1012

ACI
Fabric Site Data Center
SDA VXLAN eBGP / VRF light
L3out
Border Node Fusion Router

• Its an IP Hand off (Trunk or regular) L3out to external

• No inline tagging or Data plane
• The Border node advertises the EID learning
prefix into external protocol of • Border Leaf tags to EPG
choice (eBGP). • APIC to ISE Policy sync
• The advertisement is summarized so
that /32 host routes are not exposed Challenges with Multisite IP Transit
to the external domain. • No End to End Segmentation.
• Repeat for other IP Subnets and • Fusion Routers at every site
VRF’s in Fabric • No Automation on Fusion device

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
SDA Transit
172.16.0.1/32 192.168.1.1/24 192.168.2.2/24 172.16.1.1/32

SDA B C B C SDA
Fabric Site SDA VXLAN Fabric Site
SDA-T VXLAN extension
Border Node
Border Node

• The Border node advertises the EID Pre-Requisite with SD-Access Transit
prefix into Transit Control Plane • Higher MTU Support on WAN
• *Else use TCP Adjust-MSS
• Transit Control Plane delegates Prefix
• Repeat for other IP Subnets and Benefits with SD-Access Transit:
VRF’s in Fabric • End to End Segmentation.
• Automated configuration
• No Fusion device at every site

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
SDA Transit Segmentation
Campus Campus
Cisco Catalyst Center Cisco Catalyst Center

LISP LISP

SD-Access Transit
VXLAN to carry VN, SGT
EN EN EN EN

Corporate IOT Guest Corporate IOT Guest

SGTs: SGTs: SGTs: SGTs: SGTs: SGTs:
Employee Cameras Guests Employee Cameras Guests
Contractor HVAC Contractor HVAC

LISP LISP

SGT (16 bits) SGT (16 bits) SGT (16 bits)

VXLAN VXLAN VXLAN
Header Header Header
VNID (24 bits) VNID (24 bits) VNID (24 bits)

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Segmentation with SD-WAN as transit
Campus SDWAN
Cisco Catalyst Center BranchSDA Cisco SDWAN Manager HQ

Ten0/1/1

SD-WAN Fabric 8500R14

Ten0/1/1
Gi 0/0/1
22.2.13.73/30
EN EN
Corporate IOT Guest

SGTs: SGTs: SGTs:

Employee Cameras Guests
Contractor HVAC

Corporate IOT Guest

SGTs:
Employee
SGTs:
Cameras
SGTs:
Guests
Transport VPN and SGT
Contractor HVAC
BGP
LISP VRF-lite OMP

802.1Q
SGT (16 bits)
VXLAN SGT (16 bits) IPSec CMD SGT MPLS VPN
Header Header Header (16 bits) Labels (24 bits)
VNID (24 bits) VLAN ID (12 bits)

Inline Tagging

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 Data Center L3out as “transit”

Campus DC
APIC

DATA CENTER 1

Border Leaf 1011

cEdge APIC

WAN Border Leaf 1012

SVR Leaf
1011

Firewall L3out
BGP
VRF-lite COOP / BGP CONTROL PLANE

802.1Q
EPG (16 bits)
VXLAN DATA PLANE
Header
VLAN ID (12 bits) VNID (24 bits)

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
 End to end all the way to ACI data center
Campus SDWAN DC
Cisco Catalyst Center BranchSDA Cisco SDWAN Manager HQ APIC

DATA CENTER 1

Border Leaf 1011

APIC

SD-WAN Fabric 8500R14

Border Leaf 1012

EN EN SVR Leaf
Corporate IOT Guest 1011
SGTs: SGTs: SGTs:
Employee Cameras Guests
Contractor HVAC

Corporate IOT Guest Web App Database

SGTs: SGTs: SGTs: EPGs: EPGs: EPGs:
Employee Cameras Guests Web1 App2 DB1
Contractor HVAC Front1 App3 DB2

BGP BGP
LISP VRF-lite OMP VRF-lite COOP / BGP CONTROL PLANE

802.1Q 802.1Q
SGT (16 bits) EPG (16 bits)
VXLAN SGT (16 bits) IPSec CMD SGT MPLS VPN iVXLAN DATA PLANE
Header Header Header (16 bits) Labels (24 bits) Header
VNID (24 bits) VLAN ID (12 bits) VLAN ID (12 bits) VNID (24 bits)

Inline Tagging

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Policy
enforcement
 Where to enforce? • Firewall between
domains or in DC

• Edge Node Egress • ZBFW on cEdge • Border Leaf

• Border Node Egress • Server Leaf

Campus SDWAN DC
Cisco Catalyst Center BranchSDA Cisco SDWAN Manager HQ APIC

DATA CENTER 1

Border Leaf 1011

APIC

SD-WAN Fabric
Border Leaf 1012

EN EN SVR Leaf
1011

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 With common policy
Identity Services Engine
SXP (ISE)
Policy Plane
REST
API/pxGrid
pxGrid

Campus SDWAN DC
Cisco Catalyst Center BranchSDA Cisco SDWAN Manager HQ APIC

DATA CENTER 1

Border Leaf 1011

APIC

SD-WAN Fabric 8500R14

Border Leaf 1012

EN EN SVR Leaf
Corporate IOT Guest 1011
SGTs: SGTs: SGTs:
Employee Cameras Guests
Contractor HVAC

Corporate IOT Guest Web App Database

SGTs: SGTs: SGTs: EPGs: EPGs: EPGs:
Employee Cameras Guests Web1 App2 DB1
Contractor HVAC Front1 App3 DB2

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
 Cisco ISE 3.4, ACI 6.1(1) - LA for Solution
Enhanced ISE to APIC Cisco ISE 3.4 Patch 1, ACI 6.1(2) - GA

DC
APIC

DATA CENTER 1
Identity Services Engine
EPGs/ESGs retrieved from DC
(ISE) Border Leaf 1011
APIC

PxGrid ISE - APIC Border Leaf 1012

SGTs deployed to DC SVR Leaf

1011

Corporate IOT Guest Web App Database

SGTs: SGTs: SGTs: EPGs: EPGs: EPGs:
Employee Cameras Guests Web1 App2 DB1
Contractor HVAC Front1 App3 DB2

✓ Multi-Tenant ✓ Inter-VRF
✓ Multiple L3Outs ✓ Filter SGTs sent to DC
✓ Multi-Pod ✓ Filter EPGs/ESGs sent to
✓ Multi-VRF campus
✓ Multi Data Center Support
#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
 Policy enforcement in Data Center
Connection established DC
1 to APIC from ISE (API, pxGrid) DATA CENTER 1
APIC

Identity Services Engine

(ISE) Border Leaf 1011
APIC

Border Leaf 1012

ISE retrieves all EPG, ESG and
tenants
2
SVR Leaf
1011

Corporate IOT Guest Web App Database

User can subscribe to EPG
SGTs: SGTs: SGTs: and ESG
3 EPGs: EPGs: EPGs:
Employee Cameras Guests Web1 App2 DB1
Contractor HVAC Front1 App3 DB2

ISE owns / learns SGT with

4 Catalyst Center

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 Policy enforcement in Data Center
Outbound rule to filter SGT DC
5 Exchange to APIC, APIC

Identity Services Engine converted to EPG DATA CENTER 1

(ISE) Border Leaf 1011

APIC

SGT Employee to EEPG 10 (L3out)

Border Leaf 1012

SGT Contractor to EEPG 20 (L3out)

SVR Leaf
1011

Select SGT to be send

Corporate IOT Guest 6 to ACI
Web App Database
SGTs: SGTs: SGTs: EPGs: EPGs: EPGs:
Employee Cameras Guests Web1 App2 DB1
Contractor HVAC Front1 App3 DB2

Outbound rule exchanges SGT to EEPG – filtered

Inbound Rule retrieves EPG - filtered

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 Policy enforcement in Data Center
On ISE Select ACI connection DC
7 tenant & L3out DATA CENTER 1
APIC

Identity Services Engine

(ISE) Border Leaf 1011
APIC

SGT Employee to EEPG 10 (L3out)

Border Leaf 1012

SGT Contractor to EEPG 20 (L3out)

SVR Leaf
1011

Choose existing ACI contract to

Corporate IOT Guest
8 make groups to be a consumer Web App Database
EPGs:
SGTs: SGTs: SGTs: or provider EPGs: EPGs:
Employee Cameras Guests Web1 App2 DB1
Contractor HVAC Front1 App3 DB2

Campus
Contract

Employee

EEPG
SGT

Contractor

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 Demo showing ISE to APIC integration
Campus SDWAN L3out DC
Cisco Catalyst Center BranchSDA Cisco SDWAN Manager HQ APIC

DATA C ENTER 1

Border Leaf 1011

Ten0/1/1 APIC
Eth1/1
SD-WAN Fabric 8500R14
Border Leaf 1012
Ten0/1/1
Gi 0/0/24 VL 602 Gi 0/0/1 Eth1/1
22.2.13.74/30 22.2.13.73/30
EN
SVR Leaf
EN1 1011

Gi 1/0/13
Campus
Contract

22.2.13.76 22.2.253.3 22.2.253.4

VRF 1 VRF PROD:prod VRF PROD:prod
Ubuntu-Branch 1 Ubuntu-DC 1 Ubuntu-DC 2

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Policy enforcement in Campus
DC
Campus Identity APIC
Cisco Catalyst Center
SXP Services DATA CENTER 1

Engine Border Leaf 1011

(ISE) APIC

Border Leaf 1012

EN EN SVR Leaf
ISE is central repository for 1011

1 SGTs from Campus and APIC

via pxGrid Web App Database
Corporate IOT Guest
EPGs: EPGs: EPGs:
SGTs: SGTs: SGTs: Web1 App2 DB1
Employee Cameras Guests
SGT Domain inbound rule Front1 App3 DB2

2
Contractor HVAC
put IP/EPGs (converted to
SGTs) into SGT domain
Enforcement Point L3Out

Send IP/SGT mapping to SD-

3 Access Border via
SXP connection

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 Policy enforcement in Campus
DC
Campus Identity APIC
Cisco Catalyst Center
SXP Services DATA CENTER 1

Engine Border Leaf 1011

(ISE) APIC

Border Leaf 1012

EN EN SVR Leaf
1011

Web App Database

Corporate IOT Guest
EPGs: EPGs: EPGs:
SGTs: SGTs: SGTs: Web1 App2 DB1
Employee Cameras Guests Front1 App3 DB2
Contractor HVAC

Enforcement Point L3Out

Employee EPG 2

Contractor EPG 2

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Demo
Common policy
across domains
 Demo topology showing campus enforcement
Campus SDWAN DC
Cisco Catalyst Center BranchSDA Cisco SDWAN Manager HQ APIC

SXP to ISE DATA C ENTER 1

Border Leaf 1011

Ten0/1/1 APIC
Eth1/1
SD-WAN Fabric 8500R14
Border Leaf 1012
Ten0/1/1
Gi 0/0/24 VL 602 Gi 0/0/1 Eth1/1
22.2.13.74/30 22.2.13.73/30
EN
SVR Leaf
EN1 1011

Gi 1/0/13

Src Dest Application Action

Group Group

ENG ENG ICMP Deny

(113) (113)
22.2.13.76 22.2.253.3 22.2.253.4
VRF 1 ENG ENG SSH permit
VRF PROD:prod VRF PROD:prod
(113) (113)
Ubuntu-Branch 1 Ubuntu-DC 1 Ubuntu-DC 2

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
 Policy enforcement in Firewall
DC
Campus Identity APIC
Cisco Catalyst Center
SXP Services DATA CENTER 1

Engine Border Leaf 1011

(ISE) APIC

Border Leaf 1012

PxGrid
EN EN SVR Leaf
1011

Web App Database

Corporate IOT Guest
EPGs: EPGs: EPGs:
SGTs: SGTs: SGTs: Web1 App2 DB1
Employee Cameras Guests Front1 App3 DB2
Contractor HVAC
Firewall
enforcement point L3Out
Employee EPG 2 ISE send SGT Binding to
1 Firewall
Contractor EPG 2 SRC and DST SGT/EPG are seen

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
 Policy enforcement in SD-WAN
SDWAN DC
Campus BranchSDA Cisco SDWAN Manager HQ APIC
Cisco Catalyst Center
DATA CENTER 1

Border Leaf 1011

APIC

SD-WAN Fabric 8500R14

Border Leaf 1012

EN EN SVR Leaf
Corporate IOT Guest 1011

SGTs: SGTs: SGTs:

Employee Cameras Guests
Contractor HVAC
Web App Database
Corporate IOT Guest
EPGs: EPGs: EPGs:
SGTs: SGTs: SGTs: Enforcement Point Web1 App2 DB1
Employee Cameras Guests Front1 App3 DB2
Contractor HVAC
IP:SGT mappings sent to
1 vSmart
L3Out
Employee EPG 2

Contractor EPG 2

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Campus and WAN automation let you focus on
what really matter

It is a little step with huge impact

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Summary
 Policy Enforcement Points:

What Common Policy Enables

Consistent Policies

Identity Services Engine Context Exchange Hub

(ISE)

Build context in its local domain and

Branch store it as standard security group
Cloud IaaS
tags (SGT)
Cisco Secure
Access
Share context everywhere, across
Campus
On-Prem ACI networking and security domains
SD-WAN

SD-LAN Enforce consistent SGT based

On-prem non- policies, enable simple and unified
Remote ACI policy experience

Context-aware policies for on-prem app and cloud workloads for multiple enforcement points

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
 If you did not like the
session, send me a
message and I will
respond within a week…

…and send you back a

session I did not like
One more slide pls !!!

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
 Next Steps As Angus said:
Have a drink on me
▪ 1. Experience the NNI– try it out
▪ 2. Enable the end to end connectivity

▪ 3. Test and activate common policy with ISE 3.4

▪ 4. Leverage your installed base

1

1
1
1

User – Connection - Application

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Complete Your Session Evaluations

Complete a minimum of 4 session surveys and the Overall Event Survey to be

entered in a drawing to win 1 of 5 full conference passes to Cisco Live 2025.

Earn 100 points per survey completed and compete on the Cisco Live
Challenge leaderboard.

Level up and earn exclusive prizes!

Complete your surveys in the Cisco Live mobile app.

#CiscoLive BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting

Continue • Attend the interactive education

with DevNet, Capture the Flag,
your education and Walk-in Labs

• Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand

Contact me at: [email protected]

BRKXAR-2001 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Thank you

#CiscoLive