Which encapsulation protocol when deployed on a cisco router

What is the reason for configuring a passive interface on a router? Which internet protocol version was used as experimental Internet Protocol and never deployed? Line protocol in down then what you do? Which item is an encapsulation protocol that can be used in cisco routers when configuring subinterfaces? What is the difference between a Link and an Interface?

Primary transmission protocol of the internet? What is achieved by the encapsulation process at the network layer? What is PPP? Which term describes set of rules that determines the formatting of messages and the process of encapsulation used to forward data? What is Serial line interface protocol?

What is SSL protocol? What does the passive command provide to dynamic routing protocols? Which term describes a specific set of rules that determines the formatting of messages and the process of encapsulation used to forward data? Which term describes a specific set of rules that determines the formatting of message and the process of encapsulation used to forward data?

Which term describes a specific set of rules determining the formatting of messages and process of encapsulation used to forward data? Which data link layer encapsulation protocol is used by default for serial connections between two Cisco routers? Which term describes a specific set rules determine the formatting of messages and the process of encapsulation used tp forward data? What is the full form of SIP? What is the most Simple hosting website?

Where can I get the most amazing hosting site? Because this border node is connected to the traditional network, it is subject to broadcast storms, Layer 2 loops, and spanning-tree problems that can occur in Layer 2 switched access networks.

To prevent disruption of control plane node services or border node services connecting to other external or external networks, a border node should be dedicated to the Layer 2 handoff feature and not colocated with other fabric roles or services. Some physical locations may use unique wiring plans such that the MDF and IDF do not conform to the common two-tier and three-tier hierarchical network structure. The result is that the available fiber and copper wiring may require access switches to be daisy-chained or configured in a ring.

Any number of wiring variations may exist in a deployment. Due to the unique nature of supporting all three fabric roles on a node, Fabric in a Box has specific topologies that are supported if additional fabric edge nodes or extended nodes are connected to it downstream from it.

The topologies supported differ based on if SD-Access Embedded wireless now a fourth fabric role on the device is also implemented. Like other devices operating as edge node, extended nodes and access points can be directly connected to the Fabric in a Box. In locations where physical stacking is not possible due to the wiring structure, Fabric in a Box can support up to two daisy-chained edge nodes creating a three-tier topology. In this daisy-chained topology, access points and extended nodes can be connected to any of the devices operating in the edge node role, including the Fabric in a Box itself.

Embedded wireless is also supported in this scenario. Dual Fabric in a Box is also supported, though should only be used if mandated by the existing wiring structures. Fabric in a Box is supported using a single switch, a switch with hardware stacking, or with StackWise Virtual deployment.

Extended nodes are connected to a single Fabric Edge switch through an This trunk port is deployed as an EtherChannel with one or more links aggregated to the upstream fabric edge. Cisco DNA Center automates both the trunk and the creation of the port-channel. Once onboarded through the workflow, switch ports on the extended node support the same dynamic methods of port assignments as an edge node in order to provide macro-segmentation for connected endpoints.

Cisco DNA Center has two different support options for extended nodes: classic extended nodes and policy extended nodes. When deploying extended nodes, consideration should be taken for east-west traffic in the same VLAN on a given extended node.

This east-west traffic is forwarded using traditional Layer-2 forwarding logic. When a host connected to extended node sends traffic to destinations in the same VN connected to or through other fabric edge nodes, segmentation and policy is enforced through VLAN to SGT mappings on the fabric edge node.

For enhanced security and segmentation scalability, consider using the Policy Extended Node because scalable group enforcement can be executed at the ingress point in the network. Additional enhancements are available to devices operating as Policy Extended Nodes. In addition to the operation and management provide by a classic extended node, policy extended nodes directly support SGTs.

This provides direct east-west traffic enforcement on the extended node. Segmentation to other sources in the fabric are provided through inline tagging on the Extended nodes and Policy Extended Nodes can only be connected to a single fabric edge switch. They should not be dual-homed to different upstream edge nodes.

Daisy chaining is not supported by the zero-touch Plug and Play process used to onboard these switches. The devices must have the appropriate interface type and quantity to support connectivity to both the upstream fabric edge node and the downstream endpoints.

Access points and other Power over Ethernet PoE devices can be connected directly to both variants of extended node switches. When connecting PoE devices, ensure that there is enough available PoE power available. This is especially true with Industrial Ethernet Series switches which have significant variety of differing powering options for both AC and DC circuits.

SGT value is leveraged on the ports between the policy extended node and the edge node. It should not be reused elsewhere in the deployment. Because these ports use inline tagging, this scalable group identifier is used to build the trust between the two peer devices on both ends of the link.

Platform Roles and Capabilities Considerations. The SD-Access network platform should be chosen based on the capacity and capabilities required by the network, considering the recommended functional roles. The physical network design requirements drive the platform selection. Platform capabilities to consider in an SD-Access deployment:. Additionally, the roles and features support may be reduced.

The Nexus Series switch is only supported as an external border. It does not support colocating the control plane node functionality. It is not supported as a border node connected to SD Access Transit for Distributed Campus deployments nor does it support the Layer 2 handoff functionality and Layer 2 flooding features.

It does not support SD-Access embedded wireless. Greenfield deployments should consider Catalyst Series switches rather than the N Series switch for use in the fabric.

Cisco DNA Center is supported in single-node and three-node clusters. Scaling does not change based on the number of nodes in a cluster; three-node clusters simply provide high availability HA. If the Cisco DNA Center node is deployed as a single-node cluster, wiring, IP addresses, and connectivity should be planned and configured with future three-node clustering in mind.

However, automated provisioning capabilities and Assurance insights are lost until the single node availability is restored. For high-availability purposes, a three-node cluster can be formed by using appliances with the same core count.

This includes the ability to cluster a first-generation core appliance with a second-generation core appliance. Within a three-node cluster, service distribution provides distributed processing, database replication, security replication, and file synchronization.

Software upgrades are automatically replicated across the nodes in a three-node cluster. A three-node cluster will survive the loss of a single node, though requires at least two nodes to remain operational. Some maintenance operations, such as software upgrades and file restoration from backup, are restricted until the three-node cluster is fully restored.

Additionally, not all Assurance data may be protected while in the degraded two-node state. For Assurance communication and provisioning efficiency, a Cisco DNA Center cluster should be installed in close network proximity to the greatest number of devices being managed to minimize communication delay to the devices.

Additional latency information is discussed in the Latency section. Layer 2 Flooding. Critical VLAN. LAN Automation. The following section discusses design consideration for specific features in SD-Access.

It begins with a discussion on multicast design, traditional multicast operations, and Rendezvous Point design and placement. Multicast forwarding in the fabric is discussed along with considerations regarding the Layer 2 flooding feature which relies on a multicast transport in the underlay.

This section ends with LAN Automation, its use-case, general network topology design to support the feature, and considerations when the LAN Automation network is integrated into the remainder of the routing domain. Multicast is supported both in the overlay virtual networks and the in the physical underlay networks in SD-Access, with each achieving different purposes as discussed further below. The multicast source can either be outside the fabric site commonly in the data center or can be in the fabric overlay, directly connected to an edge node, extended node, or associated with a fabric AP.

Multicast receivers are commonly directly connected to edge nodes or extended nodes, although can also be outside of the fabric site if the source is in the overlay. The overlay or the underlay can be used as the transport for multicast as described in the Forwarding section. The advantage of using RPs is that multicast receivers do not need to know about every possible source, in advance, for every multicast group.

Only the address of the RP, along with enabling PIM, is needed to begin receiving multicast streams from active sources. A Rendezvous Point is a router a Layer-3 device in a multicast network that acts as a shared root for the multicast tree. Rendezvous Points can be configured to cover different multicast groups, or with regards to SD-Access, cover different virtual networks.

Active multicast sources are registered with an RP, and network devices with interested multicast receivers will join the multicast distribution tree at the Rendezvous Point.

An RP can be active for multiple multicast groups, or multiple RPs can be deployed to each cover individual groups. The information on which RP is handling which group must be known by all the routers in the multicast domain. For this group-to-RP-mapping to occur, multicast infrastructure devices must be able to locate the Rendezvous Point in the network. Anycast-RP allows two or more RPs to share the load for multicast source registration and act as hot-standbys for each other. With multiple, independent RPs in the network, a multicast source may register with one RP and a receiver may register with another, as registration is done with the closest RP in terms of the IGP metric.

This allows the sources to be known to all the Rendezvous Points, independent of which one received the multicast source registration. Where an RP is placed in a network does not have to be a complex decision. Protocol independent multicast PIM is used to build a path backwards from the receiver to the source, effectively building a tree. This tree has a root with branches leading out to the interested subscribers for a given stream. Source tree models PIM-SSM have the advantage of creating the optimal path between the source and the receiver without the need to meet a centralized point the RP.

Switchover moves from the shared tree, which has a path to the source by way of the rendezvous point, to a source tree, which has a path directly to the source. In an environment with fixed multicast sources, RPs can easily be placed to provide the shortest-path tree. In environments with dynamic multicast sources, RPs are commonly placed in the core of a network. In traditional networking, network cores are designed to interconnect all modules of the network together, providing IP reachability, and generally have the resources, capabilities, and scale to support being deployed as a Rendezvous Point.

In SD-Access networks, border nodes act as convergence points between the fabric and non-fabric networks. Border nodes are effectively the core of the SD-Access network.

Discussed above, border node device selection is based on the resources, scale, and capability to support being this aggregation point between fabric and non-fabric. For unicast and multicast traffic, the border nodes must be traversed to reach destinations outside of the fabric.

The border nodes already represent the shortest path. Most environments can achieve the balance between optimal RP placement along with having a device with appropriate resources and scale by selecting their border node as the location for their multicast Rendezvous Point.

The Rendezvous Point does not have to be deployed on a device within the fabric site. External devices can be designated as RPs for the multicast tree in a fabric site. Up to two external RPs can be defined per VN in a fabric site. External RP placement allows existing RPs in the network to be used with the fabric.

In this way multicast can be enabled without the need for new MSDP connections. If RPs already exist in the network, using these external RPs is the preferred method to enable multicast. SD-Access supports two different transport methods for forwarding multicast. One uses the overlay and is referred to as head-end replication, and the other uses the underlay and is called Native Multicast. Multicast forwarding is enabled per-VN.

However, if native-multicast is enabled, for a VN, head-end replication cannot be used for another VN in the fabric site. These two options are mutually exclusive within the fabric site. Head-end replication or ingress replication is performed either by the multicast first-hop router FHR , when the multicast source is in the fabric overlay, or by the border nodes, when the source is outside of the fabric site. The multicast packets from the source are replicated and sent, via unicast, by the FHR to all last-hop routers LHR with interested subscribers.

For example, consider a fabric site that has twenty-six 26 edge nodes. Each edge node has receivers for a given multicast group, and the multicast source is connected to one of the edge nodes. The FHR edge node must replicate each multicast packet to all other twenty-five edge nodes. This replication is performed per source, and packets are sent across the overlay. A second source means another twenty-five unicast replications. If the multicast source is outside of the fabric site, the border node acts as the FHR for the fabric site and performs the head-end replication to all fabric devices with interested multicast subscribers.

The advantage of head-end replication is that it does not require multicast in the underlay network. This creates a complete decoupling of the virtual and physical networks from a multicast perspective. In deployments where multicast cannot be enabled in the underlay networks, head-end replication can be used.

Networks should consider Native Multicast due to its efficiency and the reduction of load on the FHR fabric node. Native multicast does not require the ingress fabric node to do unicast replication. Rather the whole underlay, including intermediate nodes nodes not operating in a fabric role are used to do the replication. To support native multicast, the FHRs, LHRs, and all network infrastructure between them must be enabled for multicast.

The overlay multicast messages are tunneled inside underlay multicast messages. This behavior also allows overlap in the overlay and underlay multicast groups in the network, if needed. Because the entire underlay network between source and receiver is working to do the packet replication, scale and performance is vastly improved over head-end replication. Native multicast works by performing multicast-in-multicast encapsulation.

Multicast packets from the overlay are encapsulated in multicast in the underlay. Layer 2 flooding is feature that enables the flooding of broadcast, link-local multicast, and ARP traffic for a given overlay subnet. In traditional networking, broadcasts are flooded out of all ports in the same VLAN. By default, SD-Access transports frames without flooding Layer 2 broadcast and unknown unicast traffic, and other methods are used to address ARP requirements and ensure standard IP communication gets from one endpoint to another.

However, some networks need to utilize broadcast, particularly to support silent hosts which generally require reception of an ARP broadcast to come out of silence. This is commonly seen in some building management systems BMS that have endpoints that need to be able to ARP for one other and receive a direct response at Layer 2.

Another common use case for broadcast frames is Wake on LAN WoL Ethernet broadcasts which occur when the source and destination are in the same subnet. Because the default behavior, suppression of broadcast, allows for the use of larger IP address pools, pool size of the overlay subnet needs careful consideration when Layer 2 flooding is enabled.

Layer 2 flooding should be used selectively, where needed, using small address pool, and it is not enabled by default. Layer 2 flooding works by mapping the overlay subnet to a dedicated multicast group in the underlay. All fabric edge nodes within a fabric site will have the same overlay VNs and overlay IP subnets configured. When Layer 2 flooding is enabled for a given subnet, all edge nodes will send multicast PIM joins for the respective underlay multicast group, effectively pre-building a multicast shared tree.

A shared tree must be rooted at a Rendezvous Point, and for Layer 2 flooding to work, this RP must be in the underlay. If LAN Automation is used, the LAN Automation primary device seed device along with its redundant peer peer seed device are configured as the underlay Rendezvous Point on all discovered devices. If Layer 2 flooding is needed and LAN Automation was not used to discover all the devices in the fabric site, multicast routing needs to be enabled manually on the devices in the fabric site and MSDP should be configured between the RPs in the underlay.

If a server is available, the NAD can authenticate the host. If all the configured RADIUS servers are unavailable and the critical VLAN feature is enabled, the NAD grants network access to the endpoint and puts the port in the critical-authentication state which is a special-case authentication state.

When the RADIUS servers are available again, clients in the critical-authentication state must reauthenticate to the network. Within a fabric site, a single subnet can be assigned to the critical data VLAN. By default, users, devices, and applications in the same VN can communicate with each other. SGTs can permit or deny this communication within a given VN. When designing the network for the critical VLAN, this default macro-segmentation behavior must be considered.

For example, consider if the subnet assigned for development servers is also defined as the critical VLAN. Because these devices are in the same VN, communication can occur between them. This is potentially highly undesirable. Creating a dedicated VN with limited network access for the critical VLAN is the recommended and most secure approach. In the event of RADIUS unavailability, new devices connecting to the network will be placed in their own virtual network which automatically segments their traffic from any other, previously authenticated hosts.

The dedicated critical VN approach must look at the lowest common denominator with respect to total number of VN supported by a fabric device. Certain switch models support only one or four user-defined VNs. Using a dedicated virtual network for the critical VLAN may exceed this scale depending on the total number of other user-defined VNs at the fabric site and the platforms used.

The simplified procedure builds a solid, error-free underlay network foundation using the principles of a Layer 3 routed access design. Once in Inventory, they are in ready state to be provisioned with AAA configurations and added in a fabric role. LAN Automation is designed to onboard switches for use in an SD-Access network either in a fabric role or as an intermediate device between fabric nodes.

While understanding the full Cisco PnP solution is not required for provisioning and automation, understanding the pieces aids in network design.

It receives Plug and Play requests from Cisco devices and then provisions devices based on defined rules, criteria, and templates. By default, this agent runs on VLAN 1. When a switch is powered on without any existing configuration, all interfaces are automatically associated with VLAN 1.

Once they have been discovered and added to Inventory, these devices are used to help onboard additional devices using the LAN Automation feature. There are specific considerations for designing a network to support LAN Automation.

These include IP reachability, seed peer configuration, hierarchy, device support, IP address pool planning, and multicast.

Additional design considerations exist when integrating the LAN Automated network to an existing routing domain or when running multiple LAN automation sessions. Each of these are discussed in detail below. On the seed device, this can be achieved through direct routes static routing , default routing, or through an IGP peering with upstream routers. To avoid further, potential redistribution at later points in the deployment, this floating static can either be advertised into the IGP or given an administrative distance lower than the BGP.

While a single seed can be defined, two seed devices are recommended. The secondary seed can be discovered and automated, although most deployments should manually configure a redundant pair of core or distribution layer switches as the seed and peer seed devices. The peer device secondary seed can be automated and discovered through the LAN Automation process. However, it is recommended to configure the device manually. The two seed devices should be configured with a Layer 3 physical interface link between them.

Both devices should be configured with IS-IS, and the link between the two should be configured as a point-to-point interface that is part of the IS-IS routing domain. If the network has more than three-tiers, multiple LAN Automation sessions can be performed sequentially. In Figure 26, if the seed devices are the core layer, then the Distribution 1 and Distribution 2 devices can be discovered and configured through LAN Automation.

To discover the devices in the Access layer, a second LAN Automation session can be started after the first one completes. This second session could define Distribution 1 or Distribution 2 as the seed devices for this new LAN Automation workflow.

Table 1. Cisco Catalyst Series Switches. Cisco Catalyst E Series Switches 1. For any given single device onboarded using LAN Automation with uplinks to both seeds, at least six IP addresses are consumed within the address pool. For example, one session can be run to discover the first set of devices.

When a LAN Automation session starts, a check is run against that internal database to ensure there are at least available IP addresses in the defined address pool. If discovering using the maximum two CDP hops, both the upstream and downstream interfaces on the first-hop device will be configured with routed ports. This provides the highest efficiency of preservation of IP address pool space.

LAN Automation can onboard up to discovered devices during each session. Care should be taken with IP address planning based on the address pool usage described above to ensure that the pool is large enough to support the number of devices onboarded during both single and subsequent sessions.

It is represented by a check box in the LAN Automation workflow as shown the following figure. When this box is checked, PIM sparse-mode will be enabled on the interfaces Cisco DNA Center provisions on the discovered devices and seed devices, including Loopback 0.

If subsequent LAN Automation sessions for the same discovery site are done using different seed devices with the Enable multicast checkbox selected, the original seed will still be used as the multicast RPs, and newly discovered devices will be configured with the same RP statements pointing to them. The seed devices are commonly part of a larger, existing deployment that includes a dynamic routing protocol to achieve IP reachability to Cisco DNA Center.

When a LAN Automation session is started, IS-IS routing is configured on the seed devices in order to prepare them to provide connectivity for the discovered devices. This IS-IS configuration includes routing authentication, bidirectional forwarding detection , and default route propagation. These provisioned elements should be considered when multiple LAN automation sessions are completed in the same site, when LAN Automation is used in multiple fabric sites, and when the fabric is part of a larger IS-IS routing domain.

If the seed devices are joining an existing IS-IS routing domain, the password entered in the GUI workflow should be the same as the existing routing domain to allow the exchange of routing information. Here are the reasons an mGRE tunnel's line protocol can be in a down state:.

This added an additional check, which keeps such tunnel interfaces in the line protocol down state until the redundancy state changes to ACTIVE. In addition to checking the reasons previously outlined, the tunnel line state evaluation for the tunnel down reason can be seen with the show tunnel interface tunnel x hidden command as shown here:. Note : There is an open enhancement to make the tunnel down reason more explicit in order to indicate that it is due to the redundancy state not being active.

Skip to content Skip to search Skip to footer. Available Languages. Updated: August 8, Contents Introduction. Introduction This document describes the different conditions that can affect the state of a Generic Routing Encapsulation GRE tunnel interface.

Background Information GRE tunnels are designed to be completely stateless. Note If you want to use NAT with a virtual-template interface, you must configure a loopback interface. See Chapter 1, "Basic Router Configuration," for information on configuring a loopback interface. The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter. NAT is configured for inside and outside.

Note Commands marked by " default " are generated automatically when you run the show running-config command. You should see verification output similar to the following example:. Command or Action. Router config-vpdn request-dialin. Router config-vpdn-req-in protocol pppoe. Router config-vpdn-req-in exit. Router config interface fastethernet 4. Router config-if pppoe-client dial-pool-number 1. Router config-if no shutdown. Router config interface dialer 0. Router config-if ip address negotiated.

Router config-if ip mtu Router config-if encapsulation ppp. Router config-if ppp authentication chap. Router config-if dialer pool 1. Router config-if dialer-group 1.