Large Site Design Considerations – SD-Access Design

By | 07/18/2023

Typically, a large site is designed with a three-tier network that consists of separate core, distribution, and access layers. These larger site networks are designed to support up to 50,000 endpoints. Multiple service exit points with dedicated data center connections, a shared services block, and Internet services are common.

In a multi-fabric deployment, the headquarters location might use a large site design. There may also be a perimeter edge firewall used to filter Internet traffic for the site. Cisco DNA Center and ISE may be deployed at the site or at a data center that has dedicated connections to the site.

High availability pairs for both the border and the control plane nodes with extra control plane nodes dedicated to guests can be used. Physical WLCs with high availability should be deployed for large sites. The WLCs usually have connectivity to the service switch or through the border nodes.

Table 10-5 lists reference guidelines for large sites.

Table 10-5 SD-Access Large Site Guidelines

SD-Access Component DescriptionSize
EndpointsUp to 50,000
IP poolsUp to 500
Virtual networksUp to 64
Border nodesUp to 4
Control plane nodesUp to 6
Edge nodesUp to 1000
Wireless LAN controllersUp to 2
Access pointsUp to 2000

Over-the-Top

SD-Access supports over-the-top wireless as another option when dedicated WLCs and newer fabric mode APs are not an option. This is the traditional Cisco Unified Wireless design model, which uses local mode but lacks the advantages of the SD-Access fabric integration.

With OTT, you still get features like mobility with roaming, IP address management, and simplified configuration and troubleshooting. Typically, the WLC is located in the data center or in a services block near the enterprise network that is running SD-Access. The wireless traffic uses CAPWAP between the APs and the WLCs. In this mode, APs can exist both inside and outside the SD-Access fabric because the SD-Access fabric benefits are not being leveraged.

Fabric Wireless

Fabric wireless is the best option for SD-Access if you have local WLCs and new fabric mode APs. This option allows wireless traffic to take advantage of security benefits with using SGTs with the SD-Access fabric. With fabric wireless, APs are responsible for delivering wireless traffic into and out of the wired network. The WLC control plane still uses CAPWAP and continues to utilize low-latency connections between the WLC and the APs. The colocation requirement of the WLCs is per SD-Access fabric, so other remote SD-Access fabrics still need their own WLCs.

Considerations for fabric placement of the WLCs are important when integrating wireless into SD-Access. Larger deployments typically have a shared services block in which the WLCs can connect and integrate near the core of the fabric. However, the preferred connectivity for WLCs involves multiple chassis connections or switch stacks using StackWise technology to implement Multichassis EtherChannels for link and switch redundancy.

Fabric mode APs use the INFRA VRF instance, which is the same VRF instance that is used for the underlay in the SD-Access fabric. The INFRA VRF instance uses the global routing table (GRT) and provides connectivity for the network between the edge switches and the border switches.

Figure 10-10 shows the fabric wireless components in SD-Access.

Figure 10-10 Fabric Wireless Components in SD-Access

Multicast

In the earlier versions of SD-Access, headend replication of multicast packets into the fabric was standard. This meant that the headend (border) had to receive and replicate all the multicast packets from the edge switches and forward them on. However, recent versions of SD-Access have multicast features that can be configured manually within the fabric switches or done through LAN automation. This configuration reduces headend replication overhead on the border switches.

Multicast sources can be supported both inside and outside the SD-Access fabric. With PIM implementations, a rendezvous point (RP) is used on the border for all multicast clients in the overlay. The multicast protocol configurations can be done within Cisco DNA Center.

Both PIM Source-Specific Multicast (SSM) and PIM–Sparse Mode are supported with SD-Access. When IP multicast is used in the overlay, the use of an RP is required. Multicast Source Discovery Protocol (MSDP) can be used for RP redundancy, if desired.

Leave a Reply

Your email address will not be published. Required fields are marked *