Configuring Campus Fabric
Campus Fabric provides the basic infrastructure for building virtual networks based on policy-based segmentation constructs.
Note Beginning with Cisco IOS Release 3.9.1E, Campus Fabric is supported on Cisco Catalyst 4500-E series switches on Supervisor Engine 8-E.
Campus Fabric is not supported on Supervisor Engines 7-E, 7L-E, 8L-E, and on Cisco Catalyst 4500-X series switches.
This chapter includes the following major sections:
Note For complete syntax and usage information for the switch commands used in this chapter, see the
Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch.
About Campus Fabric
Campus Fabric Overlay provisioning uses three components to enable flexible attachment of users and devices, and enhanced security through user-based and device-group based policies:
- Control-Plane
- Data-Plane
- Policy-Plane
This feature is supported on the Enterprise Services software image.
Understanding Fabric Domain Elements
The following figure displays the elements that make up the fabric domain.
- Fabric Edge Devices — Provide connectivity to users and devices that connect to the fabric domain. Fabric edge devices identify and authenticate endpoints, and register endpoint ID information in the fabric host-tracking database. They encapsulate at ingress and decapsulate at egress, to forward traffic to and from endpoints connected to the fabric domain.
- Fabric Control-Plane Devices — Provide overlay reachability information and endpoints-to-routing-locator mapping, in the host-tracking database. The control-plane device receives registrations from fabric edge devices with local endpoints, and resolves requests from edge devices to locate remote endpoints. You can configure a total of 3 control-plane devices, internally (a fabric border device) and externally (a designated control-plane device such as a Cisco CSR1000v), to allow redundancy on your network.
- Fabric Border Devices — Connect traditional Layer 3 networks or different fabric domains to the local domain, and translate reachability and policy information, such as VRF and SGT information, from one domain to another. You can configure up to 2 border devices to allow redundancy on your network.
- Virtual Contexts — Provide virtualization at the device level, using virtual routing and forwarding (VRF) to create multiple instances of Layer 3 routing tables. Contexts or VRFs provide segmentation across IP addresses, allowing for overlapped address space and traffic separation. You can configure up to 32 contexts in the fabric domain.
- Host-Pools — Group endpoints in the fabric domain into IP pools, and identify them with a VLAN ID and an IP subnet.
Supported Platforms in Campus Fabric
Table 41-1
|
|
|
|
Cisco Catalyst 4500-E Series Switches |
Yes |
No |
No |
Cisco Catalyst 6800 Series Switches |
No |
Yes |
Yes |
Cisco Catalyst 3850 Series Switches |
Yes |
Yes |
Yes |
Cisco Nexus 7700 Series Switches |
No |
Yes |
Yes |
Campus Fabric Configuration Guidelines
Consider the following guidelines and limitations when configuring campus fabric elements:
- Configure no more than 3 control-plane devices in each fabric domain.
- Configure no more than 2 border devices in each fabric domain.
- Each fabric edge device supports up to 2000 endpoints.
- Each control-plane device supports up to 5000 fabric edge device registrations.
- Configure no more than 32 virtual contexts in each fabric domain.
- Ensure that you use 10-Gigabit-Ethernet supervisor uplinks when configuring underlay connectivity.
Limitations and Restrictions
- You can configure Cisco Catalyst 4500-E series switches as edge devices only.
- Campus Fabric is not supported in Virtual Switching System (VSS) mode and in VSS wireless mode.
- Virtual Extensible LAN (VXLAN) encapsulation is supported on the Supervisor uplink modules only. Ensure that you use supervisor uplink modules for underlay connections between fabric elements.
- Campus Fabric is supported only on Cisco Catalyst 4500-E series switches, on Supervisor Engine 8-E.
- IPv6 hosts are not supported in the fabric domain.
- Policy-based routing (PBR) and Web Cache Communication Protocol (WCCP) are not supported within the fabric domain.
- Cisco TrustSec SGT Exchange Protocol (SXP) cannot be used to propagate SGTs across devices within the fabric domain.
- On the edge device, Cisco TrustSec links are not supported only on uplink interfaces connected to the underlay.
- Layer 3 source group tags cannot be applied to uplink interfaces connected to the underlay.
- Multicast in Campus Fabric is supported with PIM Sparse mode and PIM SSM. Dense mode is not supported.
- Multicast Rendezvous-point (RP) redundancy is not supported in the fabric domain.
- Auto-RP is not supported in the fabric domain.
How to Configure Campus Fabric
Configuring Campus Fabric involves the following stages:
- Network Provisioning — Setting up the management plane and the underlay mechanism.
- Overlay Provisioning — Setting up the fabric overlay.
- Policy Management — Setting up virtual contexts or VRFs, endpoint groups and policies.
- Endpoint On-boarding — Setting up authentication and IP pools.
- Monitoring and Troubleshooting — Verifying reachability to all fabric devices.
Configuring Fabric Edge Devices
You can configure Cisco Catalyst 4500-E series switches as edge devices only.
Before You Begin
|
|
|
Step 1 |
Switch#
configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)#
fabric auto
|
Enables automatic fabric provisioning and enters automatic fabric configuration mode. |
Step 3 |
Switch(config-fabric-auto)#
domain {default | name
fabric domain name }
|
Configures the default fabric domain and enters domain configuration mode. The name keyword allows you to add a new fabric domain. The no version of this command deletes the fabric domain. You can configure either the default domain, or create a new fabric domain and not both. |
Step 4 |
Switch(config-fabric-auto-domain)#
control-plane
ipv4 address auth_key
key
|
Specifies the control-plane device IP address and the authentication key, to allow the fabric edge device to communicate with the control-plane device. The no control-plane ipv4 address auth_key key command deletes the control-plane device from the fabric domain. You can specify up to 3 control-plane IP addresses for the edge device. |
Step 5 |
Switch(config-fabric-auto-domain)#
border
ipv4 address
|
Specifies the IP address of the border device, to allow the edge device to communicate with the fabric border device. You can specify up to 2 border IP addresses for the edge device. |
Step 6 |
Switch(config-fabric-auto-domain)#
context name
eg-context ID
ID
|
Creates a new context in the fabric domain and assigns an ID to it. Contexts or VRFs provide segmentation across IP addresses, allowing for overlapped address space and traffic separation. You can configure up to 32 contexts in the fabric domain. This step is mandatory if you want to associate a context to a host-pool. |
Step 7 |
Switch(config-fabric-auto-domain)# host-pool name
name
|
Creates an IP pool to group endpoints in the fabric domain, and enters host-pool configuration mode. |
Step 8 |
Switch(config-fabric-auto-domain-host-pool)# host-vlan
ID
|
Configures a VLAN ID to associate with the host-pool. |
Step 9 |
Switch(config-fabric-auto-domain-host-pool)# context name
name
|
(Optional) Associates the context or VRF you created with the host-pool. |
Step 10 |
Switch(config-fabric-auto-domain-host-pool)# gateway
IP address/mask
|
Configures the routing gateway IP address and the subnet mask for the host-pool. This address and subnet mask are used to map the endpoint to the uplink interface connecting to the underlay. |
Step 11 |
Switch(config-fabric-auto-domain-host-pool)# use-dhcp
IP address
|
Configures a DHCP server address for the host-pool. You can configure multiple DHCP addresses for your host-pool. To delete a DHCP server address, use the no use-dhcp IP address command. |
Step 12 |
Switch(config-fabric-auto-domain-host-pool)# end
|
Returns to Privileged EXEC mode. |
Step 13 |
Switch# show fabric domain
|
Displays your fabric domain configuration. |
Security Group Tags and Policy Enforcement in Campus Fabric
Campus Fabric overlay propagates source group tags (SGTs) across devices in the fabric domain. Packets are encapsulated using virtual extensible LAN (VXLAN) and carry the SGT information in the header. When you configure a Cisco Catalyst 4500-E series switch as an edge device, the ipv4 sgt command is auto-generated. The SGT mapped to the IP address of the edge device is carried within the encapsulated packet and propagated to the destination device, where the packet is decapsulated and the Source Group Access Control List (SGACL) policy is enforced.
For more information on Cisco TrustSec and Source Group Tags, see Cisco TrustSec Switch Configuration Guide.
Auto-Configured Commands on Fabric Edge Devices
As a part of Fabric Overlay provisioning, some LISP-based configuration, SGT (security group tag) configuration and endpoint to uplink interface mapping configuration is auto-generated, and is displayed in your running configuration.
For example, consider this configuration scenario for an edge device (loopback address 2.1.1.1/32):
device(config)#fabric auto
device(config-fabric-auto)#domain default
device(config-fabric-auto-domain)#control-plane 192.168.1.4 auth-key example-key1
device(config-fabric-auto-domain)#control-plane 192.168.1.5 auth-key example-key2
device(config-fabric-auto-domain)#border 192.168.1.6
device(config-fabric-auto-domain)#context name eg-context ID 10
device(config-fabric-auto-domain)#host-pool name VOICE_DOMAIN
device(config-fabric-auto-domain-host-pool)#vlan 10
device(config-fabric-auto-domain-host-pool)#context eg-context
device(config-fabric-auto-domain-host-pool)#gateway 192.168.1.254/24
device(config-fabric-auto-domain-host-pool)#use-dhcp 209.165.201.6
This is sample output for the fabric edge configuration:
device#show running-config
description Auto-provisioned vrf for eg-context
ip dhcp relay information option vpn
ip dhcp relay information option
control-plane 192.168.1.4 auth-key example-key1
control-plane 192.168.1.5 auth-key example-key2
context name eg-context id 10
host-pool name VOICE_DOMAIN
ip vrf forwarding eg-context
ip dhcp relay source-interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip helper-address global 209.65.201.6
ip route-cache same-interface
no lisp mobility liveness test
lisp mobility eg-context.EID.VOICE_DOMAIN
IPv4-interface Loopback0 priority 10 weight 10
eid-table default instance-id 0
eid-table vrf eg-context instance-id 10
dynamic-eid eg-context.EID.VOICE_DOMAIN
database-mapping 192.168.1.0/24 locator-set default.RLOC
loc-reach-algorithm lsb-reports ignore
ipv4 use-petr 192.168.1.6 priority 10 weight 10
ipv4 itr map-resolver 192.168.1.4
ipv4 itr map-resolver 192.168.1.5
ipv4 etr map-server 192.168.1.4 key example-key1
ipv4 etr map-server 192.168.1.5 key example-key2
Multicast Using Campus Fabric Overlay
You can use Campus Fabric overlay to carry multicast traffic over core networks that do not have native multicast capabilities. Campus Fabric overlay allows unicast transport of multicast traffic with head-end replication at the edge device.
Note Only Protocol Independent Multicast (PIM) Sparse Mode and PIM Source Specific Multicast (SSM) are supported in Campus Fabric. Dense mode is not supported in Campus Fabric.
Configuring Multicast PIM Sparse Mode in Campus Fabric
|
|
|
Step 1 |
Switch#
configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)#
ip multicast-routing
|
Enables IP multicast routing. |
Step 3 |
Switch(config)#
ip pim rp-address
rp address
|
Statically configures the address of a Protocol Independent Multicast (PIM) rendezvous point (RP) for multicast groups. |
Step 4 |
Switch(config)#
interface LISP
interface number
|
Specifies the LISP interface and the subinterface on which to enable Protocol Independent Multicast (PIM) sparse mode. |
Step 5 |
Switch(config-if)#
ip pim sparse-mode
|
Enables Protocol Independent Multicast (PIM) on the interface for sparse-mode operation. |
Step 6 |
|
Exits interface configuration mode and enters global configuration mode. |
Step 7 |
Switch(config)# interface
interface type interface number
|
Configures the interface facing the endpoint, and enters interface configuration mode. |
Step 8 |
Switch(config-if)# ip pim sparse-mode
|
Enables Protocol Independent Multicast (PIM) on interface for sparse-mode operation. |
Step 9 |
|
Ends the current configuration session and returns to privileged EXEC mode. |
Step 10 |
Switch# show ip mroute
multicast-ip-address
|
Verifies the multicast routes on the device. |
Step 11 |
Switch# ping
multicast-ip-address
|
Verifies basic multicast connectivity by pinging the multicast address. |
Step 12 |
|
Displays the forwarding entries and interfaces in the IPv4 Multicast Forwarding Information Base (MFIB) |
Configuring Multicast PIM SSM in Campus Fabric
|
|
|
Step 1 |
Switch#
configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)#
ip multicast-routing
|
Enables IP multicast routing. |
Step 3 |
Switch(config)#
ip pim ssm {default | range
{access-list-name | access-list-name}
|
Defines the Source Specific Multicast (SSM) range of IP multicast addresses. |
Step 4 |
Switch(config)#
interface LISP
interface number
|
Specifies the LISP interface and the subinterface on which to enable Protocol Independent Multicast (PIM) sparse mode and enters interface configuration mode. |
Step 5 |
Switch(config-if)#
ip pim sparse-mode
|
Enables Protocol Independent Multicast (PIM) on the interface for sparse-mode operation. |
Step 6 |
|
Exits interface configuration mode and enters global configuration mode. |
Step 7 |
Switch(config)# interface
interface type interface number
|
Configures the interface facing the endpoint, and enters interface configuration mode. |
Step 8 |
Switch(config-if)# ip pim sparse-mode
|
Enables Protocol Independent Multicast (PIM) on interface for sparse-mode operation. |
Step 9 |
Switch(config-if)# ip igmp version 3
|
Configures IGMP version 3 on the interface. |
Step 10 |
|
Ends the current configuration session and returns to privileged EXEC mode. |
Step 11 |
Switch# show ip mroute
multicast-ip-address
|
Verifies the multicast routes on the device. |
Step 12 |
Switch# ping
multicast-ip-address
|
Verifies basic multicast connectivity by pinging the multicast address. |
Step 13 |
|
Displays the forwarding entries and interfaces in the IPv4 Multicast Forwarding Information Base (MFIB) |
Dataplane Security
Campus Fabric Data Plane Security ensures that only traffic from within a fabric domain can be decapsulated, by an edge device at the destination. Edge and border devices in the fabric domain validate that the source Routing Locator (RLOC), or the uplink interface address, carried by the data packet is a member of the fabric domain.
Data Plane Security ensures that the edge device source addresses in the encapsulated data packets cannot be spoofed. Packets from outside the fabric domain carry invalid source RLOCs that are blocked during decapsulation by edge and border devices.
Configuring Dataplane Security on Fabric Edge Devices
You can configure Cisco Catalyst 4500-E series switches as edge devices only.
Before You Begin
|
|
|
Step 1 |
Switch#
configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)#
router lisp
|
Enters LISP configuration mode. |
Step 3 |
Switch(config-router-lisp)#
decapsulation filter rloc source member
|
Enables source RLOC address validation of encapsulated packets in the fabric domain. |
Step 4 |
Switch(config-router-lisp)#
exit
|
Exits LISP configuration mode and returns to global configuration mode. |
Step 5 |
|
Exits interface configuration mode and enters global configuration mode. |
Step 6 |
Switch(config)# show lisp [session [established] | vrf
[vrf-name [session
[peer-address]]]}
|
Displays reliable transport session information. If there is more than one transport session, the corresponding information is displayed. |
Step 7 |
Switch(config)# show lisp decapsulation filter
[IPv4-rloc-address I IPv6-rloc-address] [eid-table
eid-table-vrf |instance-id
iid]
|
Displays RLOC address configuration details (whether manually configured or discovered) on the edge device. |
To configure dataplane security in static mode:
|
|
|
Step 1 |
Switch#
configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)#
router lisp
|
Enters LISP configuration mode. |
Step 3 |
Switch(config-router-lisp)# locator-set
locator-set-name
|
Specifies a locator set for the border device and enters LISP locator set configuration mode. |
Step 4 |
Switch(config-router-lisp-locator-set)#
ipv4 address
|
Configures the LISP locator set address. |
Step 5 |
Switch(config-router-lisp-locator-set)# exit
|
Exits LISP locator set configuration mode. |
Step 6 |
Switch(config-router-lisp)#
decapsulation filter rloc source locator-set
locator-set-name
|
Enables source RLOC address validation of encapsulated packets in the fabric domain. |
Campus Fabric Configuration Examples
This is sample output for the show running-configuration command for an edge configuration:
control-plane 198.51.100.2 auth-key example-key1
context name eg-context id 10
host-pool name VOICE_VLAN
IPv4-interface Loopback0 priority 10 weight 10
eid-table default instance-id 0
eid-table vrf eg-context instance-id 10
dynamic-eid eg-context.EID.VOICE_VLAN
database-mapping 192.168.1.0/24 locator-set default.RLOC
loc-reach-algorithm lsb-reports ignore
ipv4 use-petr 192.168.1.6 priority 10 weight 10
ipv4 itr map-resolver 192.168.1.4
ipv4 itr map-resolver 192.168.1.5
ipv4 etr map-server 192.168.1.4 key example-key1
ipv4 etr map-server 192.168.1.5 key example-key2
This is sample output for the show running-configuration command for the following control-plane configuration:
device(config)#fabric auto
device(config-fabric-auto)#domain default
device(config-fabric-auto-domain)#control-plane self auth-key example-key1
device(config-fabric-auto-domain)#host-prefix 192.168.1.0/24 context name eg-context id 10
device(config-fabric-auto-domain)#exit
control-plane auth-key example-key1
vlan name VOICE_VLAN id 10
ip address 192.168.1.254 255.255.255.0
ip helper–address global 172.10.1.1
ip route-cache same-interface
no lisp mobility liveness test
lisp mobility default.EID.VOICE_VLAN
dynamic-default.EID.VOICE_VLAN
database-mapping 192.168.1.0/24 locator-set FD_DEFAULT.RLOC
authentication-key example-key1
This is sample output for the show running-configuration command for the following border configuration:
device(config)#fabric auto
device(config-fabric-auto)#domain default
device(config-fabric-auto-domain)#border self
device(config-fabric-auto-domain)#control-plane 198.51.100.2 auth-key example-key1
device(config-fabric-auto-domain)#context name eg-context id 10
device(config-fabric-auto-domain)#host-prefix 192.168.1.0/24 context name eg-context id 10
device(config-fabric-auto-domain)#exit
device#show running-config
control-plane 198.51.100.2 auth-key example-key1
context name eg-context id 10
host-prefix 192.168.1.0/24 context name eg-context
loc-reach-algorithm lsb-reports ignore
ipv4 itr map-resolver 198.51.100.2
ipv4 etr map-server 198.51.100.2 key example-key1