************************************* 1. Fabric Provisioning & Onboarding ************************************* =========================== A. Reserve the Pools =========================== - Name: IT-1 - 172.16.1.0/24 - DGW -> 172.16.1.254 - DHCP -> 10.10.101.230 - DNS -> 10.10.101.230 - Name: IT-2 - 172.16.2.0/24 - DGW -> 172.16.2.254 - DHCP -> 10.10.101.230 - DNS -> 10.10.101.230 - Name: SALES-1 - 172.16.3.0/24 - DGW -> 172.16.3.254 - DHCP -> 10.10.101.230 - DNS -> 10.10.101.230 - Name: SALES-2 - 172.16.4.0/24 - DGW -> 172.16.4.254 - DHCP -> 10.10.101.230 - DNS -> 10.10.101.230 - Name: B-F - 172.20.1.0/24 =========================== B. Create VNs =========================== - Name: IT_VN - Name: SALES_VN ============================== C. Configure Fusion Settings ============================== - Name: Fusion - Protocol: IP/BGP - AS#: 65001 ============================== D. Create the Fabric ============================== - Name: HQ-Fabric - Global/Los Angeles/HQ - VNS: INFRA_VN, IT_VN & SALES_VN ============================================== E. Map the IP Subnets to the appropriate VNs ============================================== - Authentication Template: Closed - IT_VN VLAN Name/Authentication Policy: IT-1 - IP Subnet: 172.16.1.0/24 - Type: Data/Traffic VLAN Name/Authentication Policy: IT-2 - IP Subnet: 172.16.2.0/24 - Type: Data/Traffic - SALES_VN VLAN Name/Authentication Policy: SALES-1 - IP Subnet: 172.16.3.0/24 - Type: Data/Traffic VLAN Name/Authentication Policy: SALES-2 - IP Subnet: 172.16.4.0/24 - Type: Data/Traffic ============================================== F. Configuring the Control/Border Switch ============================================== - Role: Control - Role: Border - AS#: 65002 - Default to all networks - Checked - Do not Import External Routes - Unchecked - Pool: Border-Fusion - Peer: Fusion - Interface [Border interface connecting towards Fusion]: Gig1/0/1 - Role: Edge (9300E1 & 9300E2) ************************************* 2. Configuring the Fusion Router ************************************* =========================== A. Create the VRFs =========================== -------- Border -------- sh run | s vrf copy and paste it to the Fusion Router -------- Fusion -------- vrf definition IT_VN rd 1:4100 ! address-family ipv4 route-target export 1:4100 route-target import 1:4100 exit-address-family ! vrf definition SALES_VN rd 1:4099 ! address-family ipv4 route-target export 1:4099 route-target import 1:4099 ======================================= B. Create the VLANs in the 3000 Range ======================================= -------- Border -------- sh vlan -------- Fusion -------- vlan 3001,3002,3003 ======================================= C. Create the SVIs ======================================= -------- Border -------- sh run interface vlan 3001 Copy the information. Change the IP to the next number -------- Fusion -------- interface Vlan3001 description INFRA_VN ip address 172.20.1.2 255.255.255.252 no shut ! interface Vlan3002 description IT_VN vrf forwarding IT_VN ip address 172.20.1.6 255.255.255.252 no shut ! interface Vlan3003 description SALES_VN vrf forwarding SALES_VN ip address 172.20.1.10 255.255.255.252 no shut ======================================= D. Configure BGP ======================================= -------- Border -------- sh run | s router bgp Copy the information. Change the config to point towards the Border router bgp 65001 neighbor 172.20.1.1 remote-as 65002 neighbor 172.20.1.1 update-source Vlan3001 ! address-family ipv4 network 10.10.101.0 mask 255.255.255.0 neighbor 172.20.1.1 activate neighbor 172.20.1.1 default-originate exit-address-family ! address-family ipv4 vrf IT_VN network 10.10.101.0 mask 255.255.255.0 neighbor 172.20.1.5 remote-as 65002 neighbor 172.20.1.5 update-source Vlan3002 neighbor 172.20.1.5 activate neighbor 172.20.1.5 default-originate exit-address-family ! address-family ipv4 vrf SALES_VN network 10.10.101.0 mask 255.255.255.0 neighbor 172.20.1.9 remote-as 65002 neighbor 172.20.1.9 update-source Vlan3003 neighbor 172.20.1.9 activate neighbor 172.20.1.9 default-originate exit-address-family ======================================= E. Configure Route Leaking on Fusion ======================================= -------- Fusion -------- +++++++++++++++++++++++++ From Global to VRF +++++++++++++++++++++++++ access-list 99 permit 10.10.101.0 0.0.0.255 ! route-map GLOBAL match ip address 99 ! vrf definition IT_VN address-family ipv4 import ipv4 unicast map GLOBAL ! vrf definition SALES_VN address-family ipv4 import ipv4 unicast map GLOBAL +++++++++++++++++++++++++ From VRF to Global +++++++++++++++++++++++++ ip route 172.16.1.0 255.255.255.0 vlan3002 ip route 172.16.2.0 255.255.255.0 vlan3002 ip route 172.16.3.0 255.255.255.0 vlan3003 ip route 172.16.4.0 255.255.255.0 vlan3003 ************************************* 3. Configuring ISE ************************************* =========================== A. Create Groups & Users =========================== Groups - IT-GROUP-1 - IT-GROUP-2 - SALES-GROUP-1 - SALES-GROUP-2 Users - IT-Exec/Cisco@123 - Group: IT-GROUP-1 - IT-Eng/Cisco@123 - Group: IT-GROUP-2 - SALES-Exec/Cisco@123 - Group: SALES-GROUP-1 - SALES-Rep/Cisco@123 - Group: SALES-GROUP-2 =========================== B. Create Auth Profile =========================== Name: IT-Exec-Profile VLAN: IT-1 Name: IT-Eng-Profile VLAN: IT-2 Name: SALES-Exec-Profile VLAN: SALES-1 Name: SALES-Rep-Profile VLAN: SALES-2 =========================== C. Create Auth Policy =========================== Name: IT-1-Policy Condition: Identity Group: IT-GROUP-1 Wired-802.1x Authentication Result: IT-Exec-Profile Name: IT-2-Policy Condition: Identity Group: IT-GROUP-2 Wired-802.1x Authentication Result: IT-Eng-Profile Name: SALES-1-Policy Condition: Identity Group: SALES-GROUP-1 Wired-802.1x Authentication Result: SALES-Exec-Profile Name: SALES-2-Policy Condition: Identity Group: SALES-GROUP-2 Wired-802.1x Authentication Result: SALES-Rep-Profile ************************************* 4. Configuring DHCP ************************************* ip dhcp excluded-address 172.16.1.1 172.16.1.100 ip dhcp excluded-address 172.16.1.254 ! ip dhcp excluded-address 172.16.2.1 172.16.2.100 ip dhcp excluded-address 172.16.2.254 ! ip dhcp excluded-address 172.16.3.1 172.16.3.100 ip dhcp excluded-address 172.16.3.254 ! ip dhcp excluded-address 172.16.4.1 172.16.4.100 ip dhcp excluded-address 172.16.4.254 ! ip dhcp pool IT-Exec network 172.16.1.0 /24 default-router 172.16.1.254 dns-server 10.10.101.230 ! ip dhcp pool IT-Eng network 172.16.2.0 /24 default-router 172.16.2.254 dns-server 10.10.101.230 ! ip dhcp pool SALES-Exec network 172.16.3.0 /24 default-router 172.16.3.254 dns-server 10.10.101.230 ! ip dhcp pool SALES-Rep network 172.16.4.0 /24 default-router 172.16.4.254 dns-server 10.10.101.230 ************************************* 5. Layer 2 Handoff ************************************* =============================================== 1. Configure the VN (Subnet) for L2 Flooding =============================================== Enable Flooding for IT-1 ======================================================= 2. Configure the Border Switch as a Transparent Switch ======================================================= vtp mode transparent ======================================================= 3. Configure L2 Handoff on the Border Device ======================================================= - Specify the VN & the IP Subnet within it. - Specify the external VLAN - Specify the Interface to connect Border to Fusion